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ABSTRACT 


A  major  goal  of  using  any  security  protocol  is  to  create  certain  beliefs  in  the  participants.  A 
security  protocol  will  use  techniques  like  cryptography  to  guarantee  some  things,  but  it  will  still 
require  a  participant  to  make  assumptions  about  other  things  that  the  protocol  cannot  guarantee; 
such  assumptions  often  constitute  trust  in  other  participants.  In  this  thesis,  we  attempt  to  pre¬ 
cisely  identify  the  required  assumptions  of  some  example  protocols.  In  the  process,  we  find  that 
we  must  consider  the  names  that  participants  use  to  reason  about  each  other.  It  turns  out  that 
naming  is  a  complex  topic  with  a  rich  body  of  philosophical  work,  and  we  apply  some  ideas 
from  this  work  to  the  problem  of  identifying  security  protocols’  required  assumptions.  Finally, 
we  begin  work  on  a  mathematical  model  of  protocols  and  beliefs  to  which  a  formal  logic  of 
belief  could  be  applied.  The  model  is  left  incomplete  because  of  some  unresolved  problems 
with  modeling  belief  caused  by  the  design  requirement  that  the  model’s  elements  have  clear 
operational  meanings.  The  solution  of  these  problems  is  left  as  future  work. 
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There  are  four  sorts  of  men: 

He  who  -i K  and  ->K->K:  he  is  a  fool  —  shun  him; 
He  who  -i K  and  K-iK:  he  is  simple  —  teach  him; 
He  who  K  and  -> KK:  he  is  asleep  —  wake  him; 
He  who  K  and  KK:  he  is  wise  —  follow  him. 


Paraphrased  Arabian  proverb. 
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CHAPTER  1 : 
Introduction 


1.1  Beliefs  in  Security  Protocols 

In  April  2011,  the  White  House  released  “National  Strategy  for  Trusted  Identities  in  Cyberspace” 
(NSTIC)  ([1]),  which  describes  a  plan  for  encouraging  the  widespread  use  of  a  particular  style 
of  online  identification  and  authentication  often  called  ‘federated  identity’,  ‘federated  authen¬ 
tication’,  and  ‘federated  identity  management’  (e.g.,  [2]  and  [3]).  If  the  plan  is  successful, 
Americans  will  log  into  their  various  online  accounts  —  email  accounts,  bank  accounts,  Twit¬ 
ter  and  Facebook  and  Skype  accounts,  etc. —  using  identifiers  and  credentials  issued,  or  at 
least  vouched  for,  by  a  third-party  “identity  provider,”  instead  of  using  a  potentially  different 
usemame-password  pair  for  each  account.  With  this  scheme,  the  White  House  hopes  to  address 
problems  such  as  the  burden  on  users  of  maintaining  multiple  username-password  pairs  and  the 
burden  on  service  providers  of  performing  authentication  for  each  account;  moreover,  they  be¬ 
lieve  that  this  scheme  will  provide  authentication  mechanisms  with  even  greater  assurance  than 
is  currently  possible,  so  that  services  currently  deemed  too  sensitive  to  offer  online  will  become 
available. 

The  public  draft  of  this  plan,  released  in  June  2010,  was  the  primary  motivator  for  this  thesis. 
This  thesis  is,  in  part,  about  the  difference  between  “traditional”  mechanisms  of  online  identi¬ 
fication  and  authentication  and  the  kind  of  mechanisms  advocated  in  NSTIC.  This  difference  is 
not  in  the  strength  of  encryption,  the  quality  of  the  credentials,  or  the  sensitivity  of  the  accounts 
and  activities  that  are  protected,  and  yet  the  result  is  that  the  White  House’s  mechanisms  are 
riskier  than  traditional  ones. 

The  difference  is  that  NSTIC’s  mechanisms  require  more  trust  on  the  part  of  participants.  Trust 
in  this  context  can  be  thought  of  as  a  belief  about  a  person  or  entity  that  one  must  have  in 
order  to  act  and  whose  truth  is  important  to  one’s  well-being.  This  thesis  presents  a  view  of 
security  protocols  in  general  that  emphasizes  the  beliefs  that  participants  are  supposed  to  have 
(the  “required  assumptions”)  before  using  the  protocol,  in  order  for  it  to  achieve  its  goals.  This 
view  also  presents  security  protocols’  goals  as  beliefs  (the  “goal  beliefs”)  that  the  protocols  are 
supposed  to  induce  in  the  participants.  In  other  words,  a  security  protocol  presents  an  argument 
to  a  participant,  based  on  the  participant’s  assumptions,  whose  conclusions  are  the  goals  (for 
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that  participant)  of  the  protocol.  One  of  our  observations  will  be  that,  the  more  trust  that  a 
protocol  requires,  the  riskier  it  is  (all  else  equal). 

Another  of  our  observations  will  be  that  identifying  a  protocol’s  required  assumptions,  and  the 
beliefs  that  it  is  supposed  to  induce,  is  not  trivial.  Trust  is  just  one  kind  of  assumption  that 
participants  may  be  required  to  make  —  some  other  kinds  are  assumptions  about  the  meanings 
of  messages  sent  during  a  run  and  assumptions  about  the  beliefs  of  other  participants.  Addition¬ 
ally,  we  will  see  that,  to  describe  these  beliefs,  we  must  account  for  the  names  that  participants 
use  to  refer  to  people,  other  participants,  or  themselves.  Indeed,  naming  is  an  overlooked  but 
very  important  aspect  of  the  use  of  security  protocols. 

1.2  Structure  of  the  Thesis 

The  main  parts  of  this  thesis  are  Chapter  4  and  Chapter  5.  In  Chapter  4,  we  continue  the 
discussion  begun  in  the  previous  section  by  formulating  appropriate  goal  beliefs  and  required 
assumptions  for  five  hypothetical  applications  of  security  protocols.  In  the  process,  we  find  that 
these  beliefs  and  assumptions  can  be  quite  complex  and  subtle,  even  for  simple  protocols,  and 
require  us  to  answer  some  difficult  philosophical  questions.  In  Chapter  5,  we  take  a  first  step 
toward  a  rigorous  model  of  protocol  applications  that  will  enable  us  to  use  a  formal  language 
to  specify  goal  beliefs  and  required  assumptions  and  even  a  formal  logic  to  show  how  the 
assumptions  imply  the  goal  beliefs.  We  encounter  a  problem  with  applying  the  possible-worlds 
model  of  belief,  and,  after  describing  it,  we  leave  it  as  future  work. 

Chapter  2  reviews  modeling  techniques  and  formalisms  that  are  important  to  any  attempt  at 
building  a  rigorous  model  of  protocol  applications  and  belief  —  namely,  multi-agent  systems 
and  modal  logic.  Chapter  3  presents  important  works  from  computer  security,  formal  logic,  and 
philosophy  that  are  relevant  to  this  thesis,  and  reviews  several  of  them  in  more  detail. 

Finally,  Chapter  6  presents  conclusions  and  areas  of  useful  future  work. 


This  thesis  includes  some  mathematical  content  that  builds  on  the  discussion  of  beliefs  in  se¬ 
curity  protocols.  It  is  important,  and  a  reader  who  is  interested  in  applying  formal  methods 
to  security  protocols  should  read  this  thesis  straight  through.  But  the  mathematical  content  is 
not  essential;  the  main  ideas  are  not  about  mathematical  models  but  about  security  protocols, 
belief,  naming,  and  meaning.  A  reader  who  is  not  interested  in  formal  methods  should  read  the 
following  parts,  in  sequence: 
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1.  The  rest  of  the  Introduction. 

2.  Section  3.3 

3.  Section  3.5 

4.  Chapter  4 

5.  Chapter  6 

1.3  Attributing  Belief  to  Participants 

Traditionally,  the  term  ‘principal’  is  used  to  denote  the  things  that  perform  roles  in  protocols, 
and  researchers  have  been  comfortable  attributing  not  only  actions  but  also  beliefs  to  these 
things.  This  leads  to  difficult  philosophical  questions.  Consider  several  ways  of  performing 
a  protocol  role.  A  computer  may  be  set  up  to  perform  a  role  completely  without  human  in¬ 
tervention  (e.g.,  DNS  servers).  Or  a  computer  may  do  most  of  the  work  but  still  interact  with 
a  person  at  some  point,  perhaps  at  the  beginning  and  end  of  a  run  (e.g.,  the  “client”  role  of 
HTTP)  or  somewhere  in  the  middle  (e.g.,  the  “client”  role  of  TLS  when  the  user  must  decide 
whether  to  trust  the  server’s  certificate).  Or  a  role  may  be  performed  entirely  by  a  person  (e.g., 
when  someone  uses  a  Telnet  program  to  send  an  HTTP  request).  If  ‘principal’  denotes  just  the 
entity  performing  the  actions,  it  is  hard  to  specify  the  meanings  of  statements  like  ‘Principal  A 
believes  A"’  without  explaining  how  a  computer  can  have  beliefs  when  no  human  is  involved 
in  performing  a  role.  At  the  same  time,  if  ‘principal’  refers  just  to  the  person  or  organization 
responsible  for  the  computer  that  performs  the  actions,  then  we  cannot  attribute  those  actions  to 
the  principal. 

It  thus  seems  that  the  properties  we  attribute  to  a  principal  —  actions,  knowledge,  beliefs  —  are 
often  shared  between  one  or  more  computers  and  one  or  more  people  who  can  access  and  control 
those  computers.  I  will  use  ‘principal’  to  denote  a  combination  of  all  entities  that  together 
perform  a  protocol  role.  If  a  role  is  performed  by  a  computer  and  you  are  not  comfortable 
attributing  belief  to  computers,  you  can  take  sentences  like  ‘Principal  A  believes  X ’  to  mean 
that  the  person  or  people  who  can  access  and  control  the  computer  would  believe  X  if  they  were 
to  review  the  data  currently  in  the  computer. 
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1.4  Notation 

1.4.1  Quotation 

Much  of  this  thesis  is  about  names  and  identifiers,  and  one  of  its  points  is  that,  to  understand 
security  protocols,  we  should  be  precise  with  regard  to  naming  in  our  descriptions  of  principals’ 
beliefs.  In  his  paper  on  quotation,  Donald  Davidson  wrote  the  following: 


When  I  was  initiated  into  the  mysteries  of  logic  and  semantics,  quotation  was  usu¬ 
ally  introduced  as  a  somewhat  shady  device,  and  the  introduction  was  accompa¬ 
nied  by  a  stern  sermon  on  the  sin  of  confusing  the  use  and  mention  of  expressions. 
[4,  p.  27] 


Judging  from  my  experience  and  the  books  on  logic  that  I  have  read,  he  was  the  only  mem¬ 
ber  of  the  congregation.  (Quine  was  definitely  present,  but  it  might  have  been  as  the  preacher 
—  cf.  [5,  §4].)  Nevertheless,  at  some  points  I  would  like  to  rigorously  observe  the  distinction 
between  using  and  mentioning  expressions,  in  order  to  achieve  that  helpful  precision  in  discus¬ 
sions  of  security  protocols.  To  this  end,  I  will  use  single  quotation  marks  always  to  mention  an 
expression  and  never  in  the  ambiguous  manner  in  which  quotation  marks  are  often  used  —  in 
which  an  expression  is  both  mentioned  and  used  at  the  same  time.  However,  this  ambiguous 
use  of  quotation  marks  often  has  rhetorical  value,  and  I  will  use  double  quotation  marks  (“scare 
quotes”)  for  this  purpose. 

There  will  be  places  where  I  need  to  mention  a  class  of  expressions  sharing  a  common  form  — 
for  example,  the  set  of  expressions  that  consist  of  ‘B’  followed  by  a  formula  of  some  formal 
language.  For  this  purpose,  I  will  borrow  Quine’s  idea  and  notation  of  quasiquotation  ([5,  §6]). 
For  example,  suppose  we  let  ‘0’  stand  for  an  arbitrary  formula  of  some  formal  language:  with 
the  quasiquotation  marks  ‘r’  and  ‘n’  we  can  denote  the  set  of  expressions  that  consist  of  ‘B’ 
followed  by  0  with  the  expression  ‘rB0n’.  For  a  quasiquotation  to  work,  it  must  be  clear 
which  parts  of  a  quasiquotation  denote  themselves  (or,  more  precisely,  the  types  of  expression 
of  which  they  are  a  token)  (e.g.,  ‘B’)  and  which  parts  are  metavariables  —  that  is,  stand-ins  for 
other  expressions  (e.g.,  ‘0’).  Throughout  this  thesis,  I  will  use  Greek  letters  like  ‘0’,  ‘0’,  and 
‘t’  as  metavariables,  since  they  do  not  occur  in  any  formal  language  that  I  discuss  and  stand  out 
among  the  symbols  of  these  formal  languages. 
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1.4.2  Protocol  Messages 

In  Chapter  4  and  occasionally  elsewhere  I  need  to  describe  the  structures  of  protocol  messages, 
which  are  often  the  result  of  cryptographic  operations.  I  will  use  the  following  notation: 

def 

raiO'9n  rthe  result  of  concatenating  a  \  and  o-9n 

def 

r{|a[}f,.n  :=  rthe  result  of  encrypting  a  with  key  kP 
r/,r 1  n  rthe  inverse  of  key 
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CHAPTER  2: 
Background 


2.1  Multi- Agent  Systems 

The  mathematical  model  of  security  protocols  that  we  begin  in  Chapter  5  is  based  on  the  multi¬ 
agent  system  framework,  as  presented  in  Fagin  et  al.  ’s  book  “Reasoning  About  Knowledge” 
([6]).  Using  this  framework,  we  start  with  a  set  A  =  {  a  i , . . . ,  an}  of  agents.  At  any  particular 
time,  each  agent  a*  is  in  some  local  state  sai  that  determines  the  properties  of  a,  that  we  are 
interested  in  (e.g.,  behavior,  knowledge,  beliefs).  For  each  agent  a*,  there  is  a  set  La.  of  all 
possible  local  states.  We  may  also  want  to  model  properties  of  non-agent  objects  (e.g.,  message- 
queues):  we  therefore  include  an  environment  e  (along  with  its  set  Le  of  possible  local  states) 
that  also  is  in  some  local  state  se  at  any  particular  time.  The  whole  system  can  be  thought 
of  as  being  in  a  global  state  that  is  the  composition  (se,  sai, . . . ,  sa„)  of  the  local  states  of  the 
environment  and  all  the  agents  at  that  time. 

The  system’s  state  changes  when  an  event  that  we  are  interested  in  occurs.  Time  is  discrete, 
and  we  identify  it  with  the  natural  numbers.  (Time  does  not  have  to  be  discrete.)  A  run  r  is  a 
function  from  time  (i.e.,  N)  to  the  set  of  all  possible  global  states  (i.e.,  Le  x  Lai  x  •  •  •  x  Lan) 
and  thus  is  one  possible  history  for  the  system.  We  identify  our  multi-agent  system  with  a 
particular  set  1Z  of  runs.  7 Z  reflects  all  the  constraints  and  possibilities  of  the  agents’  actions. 
For  any  run  r  and  time  t,  we  call  the  pair  (r,  t)  ‘a  point’.  We  use  V(f)’  to  denote  the  system’s 
global  state  at  point  (r,  t ),  and  we  use  V0j(f)’  to  denote  the  local  state  of  agent  a,:  at  point  (r,  t ). 

For  example,  if  S'  is  a  system  containing  agents  a  and  b  that  pass  messages  to  each  other,  then 
there  could  be  a  run  r  such  that  ra(0)  is  a  state  in  which  a  has  a  message  M  to  send  to  b  (but 
has  not  yet  sent  it),  and  r0(l)  is  a  state  that  means  that  a  has  sent  M  to  6;  of  course,  r6(l)  could 
mean  that  b  has  received  M.  If  this  is  all  we  want  to  happen  in  r,  then  r(l)  =  r(t)  for  t  >  1  — 
that  is,  the  system  halts  after  time  1. 


2.2  Modeling  Belief  with  Modal  Logic 

Modal  logic  is  a  type  of  logic  that  deals  with  what  are  called  ‘modes  of  truth’ .  ‘Modes  of 
truth’  is  difficult  to  define,  so  I  will  just  give  some  examples  of  sentences  that  modal  logic  is 
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particularly  appropriate  for  formalizing: 


9  is  necessarily  greater  than  5. 

One  should  not  speed. 

Bob  thinks  that  the  store  is  closed. 

The  modes  of  truth  in  these  examples  are  necessity,  obligation,  and  belief  (respectively).  In  the 
meanings  of  each  of  these  sentences,  there  is  a  proposition  and  a  mode  that  is  applied  to  that 
proposition  specifying  the  way  in  which  it  is  true.  These  two  components  are  most  evident  in 
the  last  sentence.  We  can  bring  them  out  in  the  first  two  by  rewriting  them  thus: 

It  is  necessary  that  9  is  greater  than  5.  (2.1) 

It  is  required  that  one  does  not  speed. 


In  modal  logic,  we  take  a  standard  logic  like  propositional  logic  or  first-order  logic  and  add 
new  operators  (called  ‘modal  operators’)  for  specifying  modes.  For  example,  if  we  use  as 
a  modal  operator  indicating  necessity,  and  we  use  ‘p’  to  denote  the  proposition  that  9  is  greater 
than  5,  then  we  could  formalize  (2.1)  thus: 


Dp 

If  we  were  using  a  quantified  modal  logic,  we  might  formalize  (2.1)  instead  thus: 

□  GreaterThan(9,  5) 


Propositional  modal  logic’s  standard  semantics  —  possible-worlds  semantics  —  involves 
“Kripke  structures,”  named  for  Saul  Kripke  who  helped  create  possible-worlds  semantics 
(e.g.,  [7]).  A  model  for  non-modal  propositional  logic  is  an  assignment  of  truth-values  (i.e., 
(true,  false})  to  all  proposition  symbols  (such  a  model  is  also  called  an  “interpretation”); 
given  such  an  assignment,  the  truth-value  of  any  formula  in  propositional  logic  can  be  com¬ 
puted  by  applying  the  appropriate  truth-functions  (according  to  the  operators  in  the  formula)  to 
the  truth- values  of  its  proposition  symbols.  While  an  interpretation  of  a  propositional  language 
represents  the  basic  facts  of  the  world,  in  possible-worlds  semantics  an  interpretation  represents 
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only  one  of  the  many  possible  worlds.  The  intuition  for  possible-worlds  semantics  is  clearer  if 
we  consider  necessity:  some  propositions  may  be  true  in  the  real  world,  but  we  can  conceive  of 
a  world  in  which  they  are  not  (e.g.,  ‘There  are  nine  planets’);  in  contrast,  other  propositions  are 
true  in  the  real  world,  and  it  is  not  possible  to  conceive  of  a  world  in  which  they  are  false  (e.g., 
‘9  is  greater  than  5’).  Accordingly,  in  our  Kripke  structure  there  are  worlds  in  which  there  are 
nine  planets  and  worlds  in  which  there  are  some  other  amount  of  planets,  but  in  all  worlds  9  is 
greater  than  5.  Let  ‘p’  stand  for  ‘There  are  nine  planets’  and  ‘q’  stand  for  ‘9  is  greater  than  5’. 
The  modal  formula  ‘Dq’  asserts  the  fact  that  9  is  greater  than  5  in  all  possible  worlds. 

Now  consider  belief.  People  have  different  beliefs,  and  this  difference  means  that  people  dis¬ 
agree  about  which  of  the  possible  worlds  is  the  actual  world.  If  Bob  believes  that  the  store 
is  closed,  then  for  all  worlds  that  Bob  thinks  might  be  the  actual  one,  the  store  is  closed.  Of 
course,  Bob’s  beliefs  change,  and  thus  the  worlds  that  he  considers  possible  change.  We  model 
this  by  putting  Bob  in  one  world  w\  in  which  he  believes  that  the  store  is  closed,  and  in  another 
world  W2  in  which  he  believes  that  it  is  open.  Formally, 

W\  N  ‘  B  s’ 

W2  N  ‘  IB  —i s’ 


(‘s’  stands  for  ‘The  store  is  closed.’  and  ‘B’  is  our  modal  operator  for  Bob’s  beliefs.)  This  is 
possible  because  the  worlds  that  Bob  believes  are  possible  in  w\  and  uh  differ. 

In  general,  for  a  set  P  of  proposition  symbols,  a  Kripke  structure  is  a  tuple 
iff  =  (VP,  Ri,...,  Rn,  7r )  where  IV  is  the  set  of  all  possible  worlds,  each  Rj  is  a  binary  re¬ 
lation  over  IV,  and  n  is  an  assignment  of  interpretations  over  P  to  worlds  in  IV.  Thus,  for  any 
0  in  P  and  any  w  in  IV,  (iff,  w)  \=  (j)  if  and  only  if  i t(w)(4>)  =  true.  For  the  truth-functional 
operators,  satisfaction  takes  the  standard  form: 

(iff,  w )  N  r-i0n  if  and  only  if  n(w)((f>)  =  false 

(M,w)  N  r(0  A  '0)n  if  and  only  if  n (w)(<j>)  =  true  and  ir(w)(ip)  =  true 
etc. 

(Of  course,  not  all  modal  languages  have  the  same  operators  or  use  these  symbols.)  The  lan- 
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guage  must  have  exactly  n  modal  operators  —  Hj , . . . ,  En  —  such  that: 

(M,  w)  N  rSj0n  if  and  only  if  (M,  w')  N  (j>  for  every  w'  such  that  (w,  w')  G  -R* 


(Cf.  [6]  and  [8,  Chapter  5]  for  more  details  on  modal  logic.) 

2.2.1  Modeling  Knowledge  in  Multi-agent  Systems 

It  is  straightforward  to  apply  modal  logic  to  a  multi-agent  system  in  order  to  model  the  knowl¬ 
edge  of  the  agents  in  the  system.  [6]  is  devoted  to  showing  how  to  do  this  and  how  to  apply 
it  to  various  problems.  The  main  idea  is  that  an  agent’s  knowledge  is  determined  by  its  local 
state,  and  therefore  the  agent  will  not  be  able  to  distinguish  between  any  two  points  in  which 
it  is  in  the  same  local  state.  For  a  given  multi-agent  system  7 Z  over  a  set  Q  of  global  states 
and  a  set  A  of  n  agents,  we  describe  the  agents’  knowledge  by  building  a  Kripke  structure 
(W,  A'i, . . . ,  Kn,  7 r).  The  set  of  possible  worlds,  W,  is  the  set  of  points.  For  any  point  (r,  t), 
7r ((r,  t  )  )  is  an  interpretation  of  some  set  of  proposition  symbols  that  describes  some  facts  about 
the  global  state  r(t)  that  we  are  interested  in.  For  each  agent  i,  Ki  is  a  binary  relation  over 
points  such  that  ((r,  t),  (■ r t'))  G  K,  if  and  only  if  i  is  in  the  same  local  state  at  (r,  t)  and  (r',  if). 

In  this  thesis,  we  are  interested  in  belief  rather  than  knowledge,  but  the  method  of  [6]  is  the 
starting-point  from  which  (in  Chapter  5)  we  begin  developing  a  mathematical  model  of  beliefs 
in  security  protocols. 

2.3  Quantified  Modal  Logic  of  Belief 

The  modal  logic  presented  above  is  a  propositional  modal  logic;  if  we  remove  the  modal  opera¬ 
tor,  we  are  left  with  simple  propositional  logic.  Propositional  modal  logic,  in  all  its  varieties,  is 
well  understood,  in  that  there  is  a  variety  of  classes  of  models  from  which  to  choose  to  represent 
one’s  particular  modality  of  interest.  This  is  not  the  case  for  quantified  modal  logic. 

Quantified  modal  logic  is  a  big  topic,  and  I  will  not  provide  a  comprehensive  overview  of  it  here. 
Instead,  I  will  discuss  two  issues  that  are  particularly  important  for  this  thesis:  the  interpretation 
of  identifiers  in  quantified-modal-logic  formulas,  and  the  relation  between  quantifiers,  modal 
operators,  and  the  domain  of  quantification.  Since  we  are  only  concerned  with  modal  logics  of 
belief,  I  will  ignore  other  modalities  like  knowledge  and  necessity. 

Languages  for  quantified  modal  logics  are  usually  made  by  combining  the  syntax  of  proposi- 
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tional  modal  logics  with  the  syntax  of  first-order  non-modal  logic.  Models  for  quantified  modal 
logics  of  belief  usually  take  the  form  of  a  relational  Kripke  structure  M  =  ( > V .  Bu  . . . .  Bn,  tt), 
which  is  different  from  the  Kripke  structures  for  propositional  modal  logic  in  that  tt  maps  VV 
to  what  are  sometimes  called  ‘relational  structures’.  These  relational  structures  are  simply  the 
kind  of  thing  that  can  serve  as  a  model  for  a  first-order  language  —  that  is,  they  have  a  special 
set  that  serves  as  the  domain  of  the  quantifiers,  and  they  map  constants  to  domain  elements, 
function-symbols  to  functions,  and  predicate- symbols  to  predicates.  Thus,  for  both  proposi¬ 
tional  modal  logics  and  quantified  modal  logics,  tt  maps  VV  onto  models  appropriate  for  the 
language. 

The  syntax  and  semantics  of  quantified  modal  languages  vary,  but  the  following  is  very  com¬ 
mon.  For  any  w  in  VV,  let  ‘ w.Dom ’  denote  the  domain  of  the  quantifiers.  For  any  w  in  VV, 
n{w)  assigns  a  member  of  w.Dom  to  each  constant;  it  assigns  a  function  in  w  to  each  function- 
symbol;  and  it  assigns  a  predicate  in  w  to  each  predicate-symbol.  Satisfaction  (‘h’)  is  defined 
defined  over  tuples  of  the  form  ( M,w ,  V )  where  M  is  a  relational  Kripke  structure,  w  is  a 
possible  world,  and  V  is  a  “valuation”  —  that  is,  a  partial  function  mapping  variables  to  do¬ 
main  elements.  But  before  defining  satisfaction,  we  need  to  show  how  terms  —  i.e.,  constants, 
variables,  and  function-applications  —  are  interpreted  for  a  given  (M,  tv.  V).  We  will  use  the 
notation  to  denote  the  interpretation  of  a  term  relative  to  some  {M.  w,  V ).  For  any 

(M,  w1  V )  (where  M  =  (W,  Bi, . . . ,  Bn,  n)),  we  have  the  following: 


\k\M,w,\  _ 

\a\M,w,v  =  V(a) 

\p\M’w’v  =  ttH(p) 

\$\M’W’V  =  7T(w)($) 


(k  is  a  constant) 
(cc  is  a  variable) 
(p  is  a  function-symbol) 
(<f>  is  a  predicate-symbol) 
,  \Tm\M,w,v )  (each  Tj  is  a  term) 
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Satisfaction  (‘1=’)  is  also  defined  recursively: 

(M,  w,  V)  N  r<f>(r)n  if  and  only  if  \T\M’W’V  e  ir(w)($) 

(M,  w,  V)  N  rVa  0n  if  and  only  if  (M,  w,  V')  N  0  for  any  x  in  w.Dom 
where  V'  is  the  same  as  V  except  for  mapping  a  to  a: 

(M,  w,  V )  N  r3a  0n  if  and  only  if  (M,  w,  1/')  N  0  for  some  x  in  w.Dom 
where  V'  is  the  same  as  V  except  for  mapping  cc  to  a; 

(M,  w,  V )  N  rSi0n  if  and  only  if  (M,  w' ,  V)  N  0  for  any  w/  in  W  such  that  (w,  w')  G  Bi 
(Hj  is  the  modal  operator  corresponding  to  Bt) 

(M,  w,  V )  N  r-i0n  if  and  only  if  (M,  w,  V)  ¥  0 

(M,  w ,  V)  N  r (0  A  0)n  if  and  only  if  (M,  w,  V)  h  0  and  (M,  w,  V)  1=  0 

And  so  on  for  the  other  truth-functional  operators. 

2.3.1  Dealing  with  Names 

Designing  a  model  for  a  quantified  modal  logic  of  belief  beyond  what  we  have  done  in  the 
previous  paragraph  involves  some  tricky  questions  about  the  nature  of  belief  and  the  class  of 
linguistic  objects  that  includes  names,  descriptions,  identifiers,  etc..  For  convenience,  I  will  call 
such  objects  ‘names’.  Consider  the  use  of  names  inside  the  ‘that’ -clauses  in  these  sentences: 

Alice  believes  that  Obama  is  tall.  (2.2) 

Alice  believes  that  the  U.S.  president  is  tall.  (2.3) 


If  Alice  for  some  reason  (perhaps  some  sociological  theorem)  believes  that  the  U.S.  always 
elects  tall  presidents,  then  (2.3)  could  be  true  even  if  she  does  not  know  who  the  president  is. 
If  we  were  to  model  (2.3)  with  a  relational  Kripke  structure,  then  in  all  the  worlds  that  Alice 
considers  possible,  the  U.S.  president  is  tall  but  not  necessarily  the  same  person.  In  this  way,  the 
name  ‘the  U.S.  president’  seems  to  refer  to  something  abstract,  perhaps  the  role  of  president, 
although  in  any  particular  world  it  certainly  refers  to  exactly  one  person  (I  hope).  In  contrast, 
in  (2.2)  the  name  ‘Obama’  seems  tied  to  a  specific  person,  and  so,  in  our  relational  Kripke 
structure  for  this  sentence,  the  same  person  would  be  tall  in  every  world  that  Alice  considers 
possible.  For  Alice,  ‘Obama’  is  a  rigid  designator  (to  use  the  philosophical  jargon),  while  ‘the 
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U.S.  president’  is  a  non-rigid  designator.  (Cf.  [9]  for  a  good  overview  of  the  concept  of  “rigid 
designator”) 

It  is  easy  to  model  cases  like  this  one  in  which  it  is  clear  whether  a  name  is  rigid  or  non-rigid;  we 
just  include  the  denotations  of  the  rigid  names  (in  this  example,  ‘Obama’)  in  the  domain,  and  we 
add  a  predicate  for  each  non-rigid  designator.  Let  M  =  (VV.  Ba,  n)  be  a  Kripke  structure  where 
Ba  is  Alice’s  belief-relation.  For  each  world  w  in  VV.  the  domain  w.Dom  contains  people, 
and  there  are  a  set  w.T  of  all  tall  people  and  a  set  w.P  containing  just  the  person  who  is  the 
president.  Let  w\  be  a  world  in  which  (2.2)  is  true  and  w2  be  one  in  which  (2.3)  is  true.  Then 
Obama  is  in  both  w.Dom  and  w.T  for  any  w  such  that  (wi,  w)  €  Ba,  and  w.P  C  w.T  for  any  w 
such  that  (w2,  w)  £  Ba.  This  model  can  be  concisely  described  with  a  formal  language.  For  all 
w  in  W,  let  7r(w)(‘  Tall  ’)  =  w.T,  7r(w;)(‘  President  ’)  =  w.P,  and  7r(w;)(‘o’)  =  Obama.  We 
now  have  the  following  (Vo  is  an  empty  valuation): 

(M,Wl,V0)  N  ‘  Ba  Tall(o)’ 

(M,w2lV0)  N  ‘ BaVa; (President (x)  — »  Tall(a;))’ 


There  are  still  cases  involving  non-rigid  names  that  are  difficult  to  describe  with  this  logic. 
(In  [10],  Grove  makes  the  following  points,  and  the  following  example  is  derived  from  there.) 
Suppose  we  have  a  system  of  autonomous,  mobile  agents,  and  an  agent  a  breaks  down  and 
broadcasts  a  “help”  message  that  it  hopes  will  be  received  by  the  helper  agent  h.  These  agents 
do  not  have  a  standard  naming  system,  and  so  the  “help”  message  contains  directions  to  a’s 
location.  However,  the  transmission  medium  is  quite  unreliable  and  parts  of  the  message  may 
have  been  lost  or  corrupted;  a  will  keep  broadcasting  the  “help”  message  until  it  receives  an 
acknowledgement  from  h.  How  should  we  formally  express  the  condition  under  which  a  should 
stop  broadcasting  the  “help”  message?  Consider: 

B/i  NeedsHelp(a)  (2.4) 

Informally,  lh  believes  that  a  needs  help’.  Is  this  good  enough?  Or  is  it  possible  that  (2.4)  is 
true  but  a  should  continue  calling  for  help?  Suppose  the  message  originally  said  ‘The  agent  in 
room  22  needs  help’  but  was  corrupted  on  its  way  to  h,  so  that  h  ended  up  seeing  ‘The  agent 
in  room  2  needs  help’.  Unaware  that  the  message  was  corrupted,  h  sends  the  acknowledgement 
and  proceeds  toward  room  2.  Clearly  a  should  continue  sending  the  message,  and  yet  (2.4)  is 
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in  some  sense  true:  h  believes  ‘The  agent  that  just  sent  that  message  needs  help’  and  the  name 
‘the  agent  that  just  sent  that  message’  denotes  a. 

The  problem  with  (2.4)  is  that  it  does  not  say  how  h  refers  to  a;  it  just  says  that  h  refers  to  a 
somehow.  What  we  need  is  a  formula  that  says  something  like  7i  can  find  a  by  following  some 
list  of  directions,  and  h  believes  that  the  agent  that  it  can  find  by  following  those  directions 
needs  help’.  Let  the  predicate  ‘GoToRoom22’  denote  the  property  whereby  an  agent  can  be 
found  by  h  by  going  to  room  22:  then  we  can  replace  (2.4)  with  this: 

B/j  Vx(GoToRoom22(x)  — ►  NeedsHclp(a;))  (2.5) 

The  English  equivalent  to  (2.5)  is  ‘ h  believes  that  the  agent  in  room  22  needs  help’,  where  ‘the 
agent  in  room  22  is  a  non-rigid  designator’ .  If  a  were  to  believe  (2.5),  it  would  stop  broadcasting 
the  “help”  message,  because  (2.5)  says  that  h  knows  all  it  needs  to  in  order  for  it  to  find  and 
help  a.  However,  although  (2.5)  is  fine  for  our  current  example,  we  would  need  a  different 
predicate  instead  of  ‘GoToRoom22’  whenever  a  is  in  a  different  location.  Moreover,  we  cannot 
generalize  (2.5)  without  a  higher-order  logic  that  can  quantify  over  predicates;  for  example, 
how  would  we  formalize  ‘ h  believes  that,  for  any  room  r,  the  agent  in  r  needs  help’?  So  we 
see  that  there  are  situations  involving  non-rigid  names  that  conventional  quantified  modal  logic 
cannot  handle. 

2.3.2  Dealing  with  Quantification 

In  the  above  examples,  I  have  been  assuming  that  different  worlds  can  have  different  domains. 
In  fact,  this  is  not  an  obvious  assumption;  many  quantified  modal  logics  make  the  common- 
domain  assumption ,  which  says  that  all  the  worlds  have  the  same  domain.  It  turns  out  that,  with 
the  common-domain  assumption,  it  is  easier  to  adapt  standard  inference  rules  for  quantifiers 
to  quantified  modal  logic  than  it  is  if  we  allow  worlds  to  have  different  domains.  Logics  with 
the  common-domain  assumption  are  characterized  by  the  validity  of  what  is  called  ‘the  Barcan 
Formula’  (cf.  [11]),  which  is  really  a  class  of  formulas: 

rVo;  E  <fi  — >  E  \/a  (ji1 

(‘cc’  stands  for  a  variable,  ‘S’  a  modal  operator,  and  ‘0’  a  formula  in  which  a  may  be  free.)  For 
a  quantified  modal  logic  of  belief,  the  common-domain  assumption  implies  that  in  every  world 
everybody  knows  who  or  what  exists. 
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The  main  purpose  for  allowing  different  domains  is  to  represent  cases  in  which  the  believer  is 
unsure  (or  incorrect)  about  who  or  what  actually  exists.  One  difficulty  with  this  approach  is 
dealing  with  formulas  like  the  following: 

VxBa  Tall(x) 

Suppose  this  formula  is  true  at  world  w.  This  seems  to  say  that  Alice  thinks  that  everyone  is 
tall.  In  fact,  it  effectively  says  more  than  this,  because  it  forces  the  domains  of  all  the  worlds 
that  Alice  thinks  possible  to  be  supersets  of  w’ s  domain.  For,  according  to  the  definition  of  ‘1=’ 
given  earlier,  the  formula  is  true  at  w  if  and  only  if,  for  any  member  i  of  w.Domn,  ‘Ba  Tall(x)’ 
is  true  at  w  when  ‘x’  is  taken  to  denote  i;  but  this  means  that,  for  any  world  w'  that  Alice  thinks 
possible  at  w,  ‘Tall(x)’  is  true  when  ‘x’  is  taken  to  denote  i,  and  this  in  turn  means  that  i  is  a 
member  of  w'.T  (the  set  of  all  tall  people  at  w')  and  thus  a  member  of  w'.Dom.  It  is  difficult 
to  design  quantified  modal  logics  with  varying  domains,  even  though  having  varying  domains 
makes  sense  for  many  applications. 

Quantified  modal  logic  presents  a  minefield  of  issues,  including  philosophical  ones,  but  it  also 
provides  opportunities  for  formally  dealing  with  naming.  In  Chapter  3  we  will  look  at  Grove’s 
attempt  ([10])  to  take  advantage  of  them. 
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CHAPTER  3: 
Literature  Review 


This  thesis  builds  on  works  from  three  areas  of  inquiry:  computer  security,  formal  logic,  and 
philosophy  of  language  and  logic.  Most  relevant  are  works  about  belief  in  security  protocols, 
such  as  Rangan’s  [12];  BAN  Logic  and  related  logics  ([13],  [14],  [15],  [16],  [17],  [18],  and 
[19]);  and  Yahalom  etal.’s  [20].  [12]  and  [20]  are  particularly  relevant  in  that  they  are  motivated 
by  the  idea  that  it  is  important  to  understand  a  protocol’s  trust-assumptions.  BAN  Logic,  [12], 
and  [20]  are  discussed  in  more  detail  below. 

Another  related  area  is  “trust  management”:  security  systems  that  explicitly  represent  and  rea¬ 
son  about  trust  in  order  to  enforce  security  policies.  The  term  ‘trust  management’  seems  to 
have  been  introduced  by  Blaze  et  al.  in  [21].  Recent  works  in  this  area  include  Li  et  a/.’s  [22] 
and  Guttman  et  a/.’s  [23].  Although  they  do  not  use  the  term  ‘trust  management’,  Appel  et  al. 
present  a  similar  system  in  [24],  which  is  discussed  below. 

The  mathematical  model  that  we  begin  later  in  this  thesis  (Chapter  5)  uses  two  important  mod¬ 
eling  methods:  modal  logic  with  possible-worlds  semantics,  and  multi-agent  systems.  The  best 
reference  for  combining  these  two  methods  is  Fagin  et  a/.’s  [6].  This  thesis’s  pursuit  of  a  math¬ 
ematical  model  was  inspired  by  the  potential  usefulness  of  a  quantified  modal  logic  of  naming 
such  as  that  presented  in  Grove’s  [10],  which  is  presented  below. 

Perhaps  surprisingly,  quantified  modal  logic  is  closely  related  to  philosophical  questions  about 
naming  and  modes  of  truth  (e.g.,  belief,  necessity)  that  go  back  to  Frege’s  1892  paper  [25], 
which  is  perhaps  the  first  place  where  the  strange  logical  properties  of  modalities  and  names  are 
discussed.  Quine  first  presented  his  approach  to  these  questions  in  [26].  Barcan’s  [11],  in  which 
she  presents  a  quantified  modal  logic,  and  Quine’s  response  to  Barcan  in  [27]  clearly  show  how 
these  questions  are  relevant  to  quantified  modal  logic.  (We  already  saw  some  of  these  issues 
in  Section  2.3.)  Quine  expands  his  approach  in  [28].  In  [29],  Kaplan  compares  the  approaches 
of  Frege  and  Quine  and  then  attempts  to  answer  these  questions  in  terms  of  different  kinds  of 
names.  Later  (Chapter  4),  we  will  find  Kaplan’s  ideas  about  kinds  of  names  quite  useful.  As 
a  way  of  also  introducing  Frege’s  and  Quine’s  approaches,  Kaplan’s  comparison  of  them  is 
presented  very  briefly  below. 

It  is  of  course  not  possible  to  review  in  detail  all  previous  works  related  to  the  problem  and 
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approach  presented  in  this  thesis.  Instead,  I  have  chosen  just  a  few  works  that,  I  hope,  will  put 
the  present  work  in  context. 


3.1  Rangan’s  “Axiomatic  Basis  of  Trust” 

The  goals  and  method  of  this  thesis  are  very  similar  to  those  of  the  approach  of  P.  Venkat  Ran- 
gan  presented  in  the  1988  paper  “An  Axiomatic  Basis  of  Trust  in  Distributed  Systems”  ([12]). 
Rangan  believed  that  security  protocols  for  the  then-emerging  distributed  systems  of  computers 
would  have  to  deal  with  the  absence  of  a  single  universally  trusted  source  of  information,  in 
order  for  the  independent  organizations  and  people  who  own  those  computers  to  get  any  benefit 
from  interacting  with  each  other.  For  any  security  protocol,  it  is  necessary  to  understand  the 
particular  kinds  of  trust  it  uses  (or  assumes),  in  order  for  us  to  decide  whether  that  protocol 
should  be  used  for  a  given  situation. 

As  we  do  in  Chapter  5,  Rangan  models  trust  using  a  modal  logic  of  belief  and  the  multi-agent 
system  framework.  He  applies  possible-worlds  semantics  to  the  modal  logic  and  interprets 
possible  global  states  of  a  system  as  possible  worlds.  For  each  participant,  belief  is  represented 
with  a  transitive,  Euclidean,  and  serial  binary  relation  over  the  possible  global  states.  (A  binary 
relation  R  over  a  set  S  is  “transitive”  if  and  only  if,  for  any  elements  a,  b,  and  c  of  S,  if  (a,  b)  e  R 
and  (6,  c)  e  R  then  (a,  c)  E  R.  R  is  “Euclidean”  if  and  only  if,  for  any  elements  a,  b,  and  c  of 
S,  if  (a,  b)  G  R  and  (a,  c)  G  R  then  (b,  c)  G  R.  R  is  “serial”  if  and  only  if,  for  any  element  a  of 
S,  there  exists  an  element  b  of  S  such  that  (a,  b)  e  R.)  A  trust  is  a  belief  held  by  a  participant 
before  and  throughout  a  run  of  a  protocol  —  in  other  words,  an  assumption.  A  participant’s 
trusts  are  represented  as  constraints  on  the  belief-relation,  but  the  rest  of  the  beliefs  (that  is, 
beliefs  acquired  as  a  result  of  a  run  of  the  protocol)  are  determined  solely  by  the  participant’s 
local  state. 

Another  similarity  between  this  thesis  and  Rangan’s  work  is  in  his  approach  to  discovering 
the  trusts  of  a  protocol.  The  security  goals  of  a  given  system  are  encoded  as  formulas  in  the 
modal  logic;  we  then  must  look  for  other  formulas  (asserting  some  beliefs  on  the  part  of  some 
participants)  such  that,  when  they  are  added  as  additional  axioms  to  the  logic,  the  goal  formulas 
can  be  derived. 

In  our  attempt  to  make  a  mathematical  model  of  security  protocols,  we  do  not  use  Rangan’s 
approach.  His  approach  does  not  account  for  the  use  of  names  in  participants’  beliefs,  and 
thus  it  is  not  possible  for  it  to  deal  with  cases  of  relative  or  ambiguous  names.  Also,  in  his 
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multi-agent  system  model,  the  meanings  of  messages  that  participants  send  to  each  other  are 
explicitly  represented  by  formulas  contained  in  the  message,  which  prevents  participants  from 
interpreting  messages  differently.  Consequently,  we  must  decide  on  the  “correct”  interpretation 
of  a  protocol’s  messages  before  we  can  model  it.  In  contrast,  in  the  approach  presented  in 
Chapter  5  we  represent  participants’  interpretations  of  messages  as  assumptions  made  by  these 
participants. 

3.2  BAN  Logic 

In  the  late  1980s  and  early  1990s,  Michael  Burrows,  Martin  Abadi,  and  Roger  Needham  devel¬ 
oped  a  formal  logic  for  analyzing  authentication  protocols  that  has  been  very  influential  and  has 
come  to  be  called  ‘BAN  Logic’.  There  is  no  definitive  version  of  BAN  Logic;  it  was  presented 
with  variations  in  multiple  papers  in  1989  and  1990  ([13],  [30],  and  [16]).  It  quickly  received 
much  attention  (e.g.,  [17],  [31],  [32],  and  [18]).  In  response  to  some  criticism  (Syverson’s  [32] 
provides  a  good  analysis  of  the  issues),  Abadi  and  Mark  R.  Tuttle  presented  ([19])  a  revised 
version  with  a  new  semantics.  I  present  the  revised  version  here. 

The  purpose  of  the  logic  is  to  enable  analysis  of  authentication  protocols  in  terms  of  the  be¬ 
liefs  of  the  participants.  The  goal  of  a  particular  protocol  would  be  defined  as  the  holding  of 
particular  beliefs  by  the  participants,  and  the  analysis  would  consist  of  showing  the  effects  of 
the  protocol’s  messages  on  the  participants’  initial  and  subsequent  beliefs.  Therefore,  BAN 
Logic’s  language  focuses  on  belief,  message -passing,  and  the  construction  of  messages  with 
cryptographic  operations.  The  semantics  is  based  on  a  model  of  a  distributed  system  as  a  multi¬ 
agent  system  in  which  the  set  of  agents  contains  all  the  principals  along  with  a  special  agent 
Pe  representing  the  environment.  Each  principal’s  state  contains  a  record  of  the  actions  that 
the  principal  has  performed  (a  “local  history”)  and  the  set  of  keys  that  the  principal  holds  (a 
“key  set”).  The  environment’s  state  includes  a  record  of  all  the  actions  performed  (a  “global 
history”),  a  set  of  keys,  and,  for  each  principal  P,,  a  buffer  containing  all  the  messages  sent 
to  Pi  but  not  yet  received  by  Pi.  A  principal  changes  its  state  by  executing  actions,  but  only 
its  own  state  and  the  environment’s  state  can  change.  The  possible  actions  include  sending  a 
message,  receiving  a  message,  and  receiving  a  previously  unknown  key.  Runs  are  required  to 
satisfy  certain  reasonable  constraints,  such  as  the  constraint  that  a  message  must  be  sent  before 
it  is  received. 

An  important  feature  of  the  model  is  the  division  of  a  run  into  two  “epochs,”  the  past  and  the 
present.  The  states  in  a  run  are  assigned  consecutive  integers  representing  times.  The  negative 
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integers  represent  times  in  the  past,  while  nonnegative  integers  represent  times  in  the  present. 
In  this  way,  BAN  Logic  can  model  recency  of  message-transmissions,  which  is  important  when 
modeling  nonces. 

A  protocol  is  modeled  as  a  set  of  functions  (Ai, . . . ,  An,  Ae},  one  for  each  agent  (the  principals 
and  the  environment),  that  map  local  states  to  actions.  If  agent  i  is  in  local  state  s,  then  i  must 
perform  A;(s). 

Belief  is  modeled  with  the  possible-worlds  approach,  using  points  as  possible  worlds. 

Based  on  this  model,  BAN  Logic  defines  formulas  such  as  the  following  (‘0’  is  a  metavariable 
for  formulas): 

•  ‘ A  says  X ’  (‘A  sends  the  message  X  (in  the  present)’) 

•  ‘A  said  X'  (‘A  sent  the  message  A"’) 

•  "fresh (  A")’  (‘The  message  X  was  sent  for  the  first  time  in  the  present’) 

•  ‘A  has  K'  (‘A  has  key  K ’) 

•  ‘A  A  B'  (‘A  and  B  share  the  key  K ’) 

x 

•  ‘A  ==±  B'  (‘A  and  B  share  the  secret  message  A"’) 

•  rA  believes  0n  (rA  believes  that  0n) 

•  rA  controls  0n  (rWhenever  A  says  that  0,  then  0n) 

The  definitions  of  ‘  says  ’  and  ‘fresh’  distinguish  between  the  two  epochs.  ‘  has  ’  is  defined  as 
a  condition  on  a  principal’s  set  of  known  keys.  and  ‘^’  are  both  defined  as  conditions  on 
the  messages  sent  in  a  run  (in  both  epochs).  If  K  is  a  shared  key  (‘ ■£»•’)  between  two  principals, 

then  the  only  way  another  principal  could  send  a  message  encrypted  with  K  is  by  first  receiving 

x 

that  encrypted  message  from  someone  else.  Similarly,  if  X  is  a  shared  secret  (‘^’)  between 
two  principals,  then  the  only  way  another  principal  could  send  a  message  containing  X  is  by 
first  receiving  that  message  from  someone  else. 

The  papers  in  which  BAN  Logic  was  presented  have  been  very  influential.  These  papers  start 
with  a  strong  and  important  claim:  that  the  goal  of  authentication  is  to  cause  certain  beliefs  in 
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the  participants.  They  then  present  an  intuitive  formalism  for  reasoning  about  how  the  messages 
exchanged  in  authentication  protocols  affect  participants’  beliefs.  The  language  is  very  concise, 
the  rules  are  intuitive,  and  the  focus  of  the  analysis  —  belief  —  is  explicitly  represented.  It  has 
some  problems,  some  of  which  I  discuss  below,  but  in  many  ways  it  is  an  example  of  what  a 
formal  method  should  be. 

3.2.1  Messages  and  Names 

We  do  not  use  BAN  Logic  in  this  thesis  mostly  because  it  assumes  that  all  the  principals  have 
unique  and  commonly  known  names.  If  in  some  protocol  (e.g.,  AdultVerify,  presented  in  Sec¬ 
tion  4.4)  a  principal  holds  beliefs  about  another  principal  without  knowing  the  latter’s  proper 
name,  then  this  protocol  cannot  be  analyzed  with  BAN  Logic. 

There  are  other  problems  with  BAN  Logic  that  should  be  briefly  discussed.  These  problems  are 
in  its  treatment  of  messages.  In  the  multi-agent  system  used  as  BAN  Logic’s  model,  principals 
can  send  keys,  principals’  names,  “primitive  propositions”  ([19,  p.  207])  (whatever  those  are), 
and  “things  like  nonces”  (ibid.)  to  each  other  as  messages,  as  well  as  the  results  of  applying 
certain  operations  to  messages:  concatenation,  encryption,  and  inclusion  of  a  shared  secret.  The 
problem  is  that  they  can  also  send  BAN  Logic  formulas;  BAN  Logic’s  language  is  thus  a  part 
of  its  model!  As  we  saw,  this  also  occurs  in  Rangan’s  model,  and  it  is  a  problem  for  the  same 
reason:  a  principal’s  interpretation  of  concrete  messages  (that  is,  bit-strings)  should  be  our  (the 
analysts’)  object  of  study;  we  should  not  interpret  the  concrete  messages  ourselves. 

3.3  Yahalom,  Klein,  and  Beth’s  “Trust  Relationships” 

The  basis  of  the  1993  paper  “Trust  Relationships  in  Secure  Systems  -  A  Distributed  Authenti¬ 
cation  Perspective”  ([20]),  by  Raphael  Yahalom,  Birgit  Klein,  and  Thomas  Beth,  is  the  authors’ 
observation  that  communication  protocols  rely  on  the  participants’  trust-relationships  just  as 
much  as  they  rely  on  cryptographic  mechanisms  and  shared  secrets,  and  that  there  are  a  variety 
of  trust-relationships  that  protocols  can  take  advantage  of.  The  authors  examined  protocols  that 
are  used  to  establish  secure  communication  over  the  Internet  (e.g.,  Kerberos  ([33]))  and  found 
seven  classes  of  trust-relationships  that  a  user  might  need  to  hold  with  regard  to  a  certification 
authority  (CA)  in  order  to  use  such  a  protocol.  Each  class  is  related  to  a  specific  kind  of  ser¬ 
vice  that  CAs  typically  provide,  such  as  correctly  asserting  that  a  name  belongs  to  a  principal, 
providing  high-quality  cryptographic  keys,  and  maintaining  a  clock  that  can  be  used  to  ensure 
freshness  of  messages. 
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The  significance  of  “Trust  Relationships”  for  this  thesis  is  the  fact  that  Yahalom  et  al.  were 
motivated  by  the  following  observations:  (1)  that  trust  has  an  important  role  in  communication 
protocols,  (2)  that  there  are  multiple  kinds  of  trust,  and  (3)  that  different  protocols  require 
different  kinds  of  trust.  In  the  authors’  words: 


Explicit  specification  of  such  relationships  [i.e.,  trust]  may  help  to  determine  whether 
a  certain  protocol  or  certain  initial  assumptions  are  realistic  in  a  given  environment. 

[. . .  ]  Explicit  analysis  of  required  trust  relationships  can  be  used  as  a  criterion  for 
comparing  different  protocols  (e.g.  which  ones  have  weaker  trust  requirements)  as 
well  as  to  extend  protocols  in  a  way  which  provides  more  flexibility  —  adapting 
them  to  varying  environments  with  different  trust  relationships,  [p.  152] 


Yahalom  et  al.  thus  made  some  of  the  same  observations  about  assumptions  in  security  pro¬ 
tocols  that  we  harp  on  in  this  thesis  (Chapter  4  and  Chapter  6).  Unfortunately,  they  did  not 
consider  trust  classes  involving  names  —  that  is,  trust  classes  in  which  a  principal  is  trusted  to 
use  or  generate  names  in  some  particular  way.  They  also  did  not  consider  how  to  analyze  trust 
when  there  is  no  universal  naming  system. 


з. 4  Appel  and  Felten’s  “Proof-carrying  Authentication” 

In  1999,  Andrew  W.  Appel  and  Edward  W.  Felton  presented  ([24])  a  formalism  that  can  express 
many  of  the  things  that  BAN  Logic  can  express.  (I  will  refer  to  this  formalism  as  ‘Appel-Felton 
Logic’.)  Appel-Felton  Logic  is  a  non-modal,  higher-order  logic.  The  key  feature  of  this  logic 
is  that  it  models  each  principal  as  a  predicate  that  identifies  the  formulas  that  that  principal 
believes  (or,  in  their  words,  “admits  as  true”).  Such  a  predicate  is  called  ‘a  worldview’. 

Identifiers  in  Appel-Felton  Logic  can  refer  to  strings,  formulas,  functions,  and  predicates,  in¬ 
cluding  worldviews;  all  of  these  sorts  can  be  quantified  over.  Atomic  formulas  have  the  form 
rcc(0)n,  where  u  is  a  variable  denoting  a  worldview  and  0  is  a  formula  or  a  variable  denoting 
a  formula;  rcc(0)n  means  that  the  formula  (denoted  by)  0  is  true  in  the  worldview  denoted  by 

и.  (This  logic  confusing  using  and  mentioning  because  it  is  higher-order.)  “Principals”  are 
a  special  type  of  worldview:  worldview  P  is  a  principal  if  and  only  if  the  following  are  true 
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(p.  54): 


WF.  F  — >  P(F) 

VFVG  .  (P(F)  A  P(F  ->  G))  — >  P(G) 

(‘F’  and  ‘G’  range  over  formulas.)  The  logic  includes  a  primitive  function  called  ‘A/"’  that 
constructs  principals  from  strings.  In  this  way,  Appel-Felton  Logic  distinguishes  between  prin¬ 
cipals  and  their  names.  The  logic  does  not  have  axioms,  only  inference  rules.  (Interestingly, 
one  of  the  inference-rules  (n  is  prin,  p.  55)  implies  that  J\f  is  a  total  function.) 

Unlike  BAN  Logic,  Appel-Felton  Logic  was  not  designed  as  a  protocol- analysis  tool.  Instead, 
the  intended  use  of  this  logic  is  as  an  implementation-language  for  various  methods  of  dis¬ 
tributed  authentication  —  for  example,  the  authors  mention  SPKI  ([34],  [35])  and  X.509  ([36]). 
The  fact  that  this  logic  is  higher-order  enables  one  to  define  specific  predicates  for  a  partic¬ 
ular  authentication  method  —  in  other  words,  it  can  be  used  to  implement  a  domain-specific 
language  for  a  particular  type  of  authentication. 

For  example  (pp.  56-57),  we  could  define  some  predicates  for  authentication  methods  that  use 
public-key  cryptography: 

ru  says  rcu(0)n 

dcf 

rUi  speaksfor  u ;2n  :=  rVa;  .  aq  says  x  — >  u2  says  xn 

def 

r(cert  lui  aLU2y  r<^i  says  (A/"(cr)  speaksfor  a ;2)n  (a  is  an  identifier  of  sort  string) 

Thus,  ‘(cert  C  Ka  A )’  can  represent  the  fact  that  the  certification  authority  C  has  bound  the 
public  key  Ka  to  A.  Notice  how  Ka  is  used  (appropriately)  as  a  string.  The  assumption  is  that, 
if  the  server  receives  a  message  containing  the  formula  F  signed  with  A’s  private  key,  it  will 
infer  ‘A f(Ka)  says  F\  The  function  J\f  reflects  the  assumption  that  only  one  person  has  the 
corresponding  private  key  and  can  thus  cause  A f(Ka)  to  “speak.” 

Appel-Felton  Logic  shows  how  a  higher-order  language  can  be  used  to  create  domain-specific 
languages  which,  in  turn,  can  be  used  to  enforce  security  policies.  A  key  idea  in  their  paper 
is  that  requests  should  include  proofs  of  the  conditions  which  must  hold  (according  to  some 
security  policy)  in  order  for  the  requests  to  be  satisfied.  This  enables  security  policies  to  be 
specified  declaratively  (in  the  domain-specific  language)  while  still  not  requiring  the  server  to 
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generate  the  proofs  itself  but  merely  to  verify  them. 

Appel-Felton  Logic  is  powerful,  but  it  cannot  deal  with  some  of  the  issues  of  naming  that  are 
of  concern  in  this  thesis  —  for  example,  the  possibility  that  a  name  does  not  actually  refer  to 
anything.  Also,  it  does  not  have  a  model  with  which  we  can  justify  the  inference  rules. 

3.5  Kaplan’s  “Quantifying  In” 

David  Kaplan  takes  up  the  issues  raised  by  Quine  ([28])  about  the  logical  properties  of  what 
Quine  calls  “referentially  opaque”  contexts.  He  contrasts  Quine’s  analysis  with  what  he  presents 
as  Frege’s  ([25]),  and  argues  that  Frege’s  provides  a  better  explanation.  Briefly,  Kaplan  de¬ 
scribes  Quine’s  analysis  as  treating  names  inside  opaque  contexts  as  meaningless,  since  they 
do  not  have  the  same  logical  properties  as  they  do  outside  such  contexts.  By  contrast,  Kaplan 
presents  Frege’s  analysis  as  treating  names  inside  opaque  contexts  as  just  as  meaningful  as  in 
normal  contexts,  but  having  a  different  meaning  from  the  normal  one.  For  example,  consider 
the  following  sentence: 

Ortcutt  is  a  spy,  and  Ralph  believes  that  Ortcutt  is  a  spy.  (3.1) 


This  sentence’s  opaque  context  is  everything  to  the  right  of  ‘that’.  For  Quine  (according  to 
Kaplan),  the  second  occurrence  of  ‘Ortcutt’  does  not  mean  anything,  at  least  as  far  as  logic  is 
concerned.  But  for  Frege,  the  second  occurrence  of  ‘Ortcutt’  is  just  as  referential  as  the  first, 
but  the  two  occurrences  do  not  have  the  same  meaning.  The  second  one  refers  to  something 
other  than  Ortcutt,  something  more  mental.  Kaplan  shows  that  with  Frege’s  analysis  we  can 
explain  why,  for  example,  substitution  fails  when  it  crosses  the  border  of  opaque  contexts:  we 
are  substituting  an  expression  that  means  something  different  than  the  one  being  replaced. 

Kaplan  hypothesizes  that  these  strange  mental  entities  that  are  referred  to  in  opaque  contexts 
are  linguistic  —  specifically,  expressions.  So,  when  we  quantify  into  opaque  contexts,  we  must 
be  sure  to  only  quantify  over  expressions,  as  in  the  following: 

3 a  .  Ralph  believes  ra  is  a  spyn 


(‘ a ’  ranges  over  expressions.) 

This  still  leaves  us  unsure  about  what  if  any  relation  between  Ralph  and  Ortcutt  is  implied 
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by  (3.1),  since  it  now  seems  that  belief  is  just  a  relation  between  the  believer  and  a  sentence. 
Kaplan’s  main  contribution  to  Frege’s  approach  in  this  paper  is  to  shed  some  light  on  the  very 
tricky  relations  between  believer,  belief,  and  the  things  the  belief  is  about,  and  to  show  that  there 
are  different  kinds  of  names  that  have  different  logical  properties  in  opaque  contexts.  Consider 
the  difference  between  the  following: 

Ralph  believes  that  Ortcutt  is  a  spy. 

Ralph  believes  that  the  shortest  spy  is  a  spy. 

Assuming  that  ‘Ortcutt’  is  the  name  of  someone  Ralph  knows  and  that  there  is  a  shortest  spy, 
both  of  these  sentences  have  names  in  opaque  contexts  that  denote  people,  but,  as  Quine  would 
say,  the  FBI  would  only  be  interested  in  the  first  one.  This  is  just  a  simple  example  of  Kaplan’s 
distinctions  between  kinds  of  names  based  on  their  causal  relations  with  their  subjects  and  ob¬ 
jects  and  their  descriptive  contents;  we  will  find  this  distinction  useful  later  (Subsection  4.3.2). 
At  the  end,  he  picks  a  kind  of  name  (“vivid  names”)  that  he  claims  guarantees  a  connection  be¬ 
tween  the  subject  and  object  strong  enough  to  allow  quantification  and  substitution  into  opaque 
contexts. 

3.6  Grove’s  Logic 

In  1995,  Adam  Grove  presented  ([10])  a  quantified  modal  logic  of  knowledge  for  describing 
systems  of  multiple  interacting  agents.  Grove’s  principal  goal  for  the  logic  was  to  account  for 
the  names  that  agents  use  to  refer  to  each  other,  but  he  also  includes  features  to  represent  a 
kind  of  subjective  knowledge.  This  logic  is  an  extension  of  a  propositional  logic  with  simi¬ 
lar  goals  that  Grove  and  Joseph  Halpern  presented  ([37])  in  1993.  Because  of  the  quantified 
logic’s  explicit  treatment  of  names,  it  is  the  inspiration  for  the  mathematical  model  begun  later 
(Chapter  5)  in  this  thesis. 

3.6.1  The  Issues 

As  Grove  sees  it,  a  formal  model  of  knowledge  that  accounts  for  naming  should  deal  with  two 
issues.  The  first  issue  is  about  the  scope  of  non-rigid  names  used  in  descriptions  of  agents’ 
knowledge.  To  explain,  Grove  gives  an  example: 

. . .  consider  an  unreliable  network  in  which  some  processes  may  have  failed.  Let  the 
formula  0  stand  for  “pi  knows  that  all  correct  processes  received /p ’s  last  message”. 
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Suppose  that,  in  fact,  the  correct  processes  are  pi,  p2,  and  p3,  and  p\  knows  that  all 
three  of  these  processes  actually  did  receive  the  message.  [10,  p.  313] 


Whether  0  is  true  depends  on  the  meaning  of  the  name  ‘all  correct  processes’.  We  know  that 
Pi,  p2,  and  p:>  are  all  the  correct  processes,  and  so  if  we  interpret  this  name  from  our  (i.e., 
an  objective)  perspective,  then  0  is  true.  But  suppose  that  pi  thinks  that  there  is  some  other 
process,  p4,  that  is  also  correct:  then  from  p4’s  perspective,  0  is  false  “(and,  perhaps,  may  spend 
more  time  —  fruitlessly  —  waiting  for  additional  acknowledgments)”  (ibid.).  Each  perspective 
introduces  a  scope  in  which  names  like  ‘all  correct  processes’  are  interpreted.  p{ s  perspective  is 
the  innermost  scope  for  this  name,  whereas  the  outermost  scope  is  the  real  world  —  that  is,  the 
world  in  which  the  sentence  is  said  to  hold.  The  issue  is  that  different  scopes  can  be  useful  for 
different  names  and  sentences,  and  so  it  is  desirable  that  a  formal  model  of  knowledge  enables 
names  to  be  interpreted  at  arbitrary  scopes.  In  most  quantified  modal  logics  with  non-rigid 
constants,  ‘all  correct  processes’  would  be  re-evaluated  in  each  of  the  worlds  that  pi  considers 
possible,  thus  giving  it  an  innermost-scope  interpretation. 

Suppose  that  we  interpret  ‘all  correct  processes’  using  the  outermost  scope,  which  would  make 
0  true.  We  thus  know  that  the  knowledge  that  0  attributes  to  pi  is  about  p±,p2,  and  p3,  but  we  do 
not  know  with  what  name  or  names  p\  refers  to  p],  p-2,  and  p3.  There  are  many  possibilities:  for 
example,  p\  may  use  the  name  ‘all  correct  processes’  to  refer  to  them  collectively,  or  it  may  use 
a  different  name  for  each  of  them.  This  is  the  issue  that  Grove  calls  ‘multiple  ways  of  referring’ . 

3.6.2  The  Logic 

To  build  a  logic  that  addressed  these  issues,  Grove  apparently  found  it  necessary  to  have  it  deal 
with  subjective  knowledge  as  well,  as  in  ‘the  agent  who  just  sent  me  a  message’  and  7  know 
that  Bob  needs  help’.  To  do  this,  he  used  a  variant  of  possible-worlds  semantics  based  on  ideas 
from  the  work  of  David  Lewis  ([38])  and  Yves  Lesperance  ([39]).  In  his  model,  a  formula  is 
interpreted  not  in  terms  of  a  world  but  in  terms  of  a  world-agent  pair,  and  instead  of  having 
multiple  knowledge -relations  K,  over  worlds,  it  has  just  one  knowledge-relation  K  over  world- 
agent  pairs.  Briefly,  a  world-agent  pair  ( w ,  a)  represents  the  world  w  from  the  point  of  view  of 
agent  a;  if  ((w,  a),  (w1,  a'))  G  K,  then  a  in  w  thinks  that  w'  could  be  the  real  world  and  that  he 
could  be  a'  in  w' .  It  is  difficult  to  get  an  intuition  for  this,  and  I  will  not  do  it  much  justice  here 
—  for  details,  cf.  Grove’s  paper  as  well  as  Lesperance’s.  The  effect  on  the  logic’s  language  is 
that  there  is  a  term  ‘me’  such  that,  if  (w,  a)  1=  0,  then  ‘me’  denotes  a  wherever  it  occurs  in  0 
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outside  the  scope  of  a  modal  operator.  For  example,  (w,pi)  N  ‘  NeedHelp(me)’  if  and  only  if 
Pi  needs  help  in  world  w. 

To  deal  with  names,  Grove  made  his  logic  multi-sorted ,  with  two  sorts:  agents  and  names.  This 
means  that  all  identifiers  (i.e.,  all  constants  and  variables)  in  the  language  fall  into  exactly  one 
of  these  sorts.  All  terms  except  ‘me’  consist  of  a  single  letter;  lowercase  terms  are  of  sort 
agent,  and  capital  terms  are  of  sort  name,  ‘me’  is  also  of  sort  agent.  Correspondingly,  in  the 
semantics  each  world  has  two  domains:  a  domain  of  agents  and  a  domain  of  names.  Worlds  can 
contain  different  agents,  but  every  world  must  have  the  same  name-domain.  Every  world  also 
has  a  special  ternary  predicate,  denoted  by  ‘In’  in  the  language,  that  represents  the  relationship 
between  a  name,  the  agent  who  uses  the  name,  and  the  agent  denoted  by  the  name. 

A  key  principle  of  Grove’s  logic  is  that,  when  one  agent  reasons  about  another,  it  does  so  using 
some  name.  This  principle  is  reflected  in  the  logic’s  syntax  in  the  form  of  a  restriction  that 
bans  formulas  such  as  ‘3x  Kme  P(x)’  in  which  a  quantifier  over  an  agent  variable  binds  into  the 
scope  of  a  modal  operator.  As  Grove  says,  “Such  formulas  assert  knowledge  about  someone 
(some  x)  but  they  do  not  say  anything  about  how  this  agent  is  actually  being  referred  to  (by  me, 
or  whoever  is  doing  the  reasoning)”  ([10,  p.  329]). 

Grove  gives  (p.  326)  the  following  formula  to  show  off  his  logic: 

3x^Talking(me,  x)  A  3X (Location(9f )  A  ln(me,  x,X) 

AKme(Vt/  :  ln(me,  y,  X)  ->  Tal\(y)))^j 


He  interprets  it  as  follows: 


I  (me)  am  talking  to  some  agent  (. x ),  x’s  position  relative  to  me  is  captured  by  some 
“location-type”  name  X  (for  instance,  X  might  be  “in  front  of”),  and  I  know  that 
the  agent  in  that  location  is  tall.  [pp.  326-327] 


To  see  how  the  logic  confronts  the  issues  mentioned  above,  consider  again  the  example  of 
processes  in  an  unreliable  network.  Suppose  that  they  refer  to  each  other  using  numbers,  thus: 

#1  knows  that  #5  knows  that  #1  needs  help. 
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The  logic  should  enable  us  to  express  all  the  different  meanings  of  this  sentence  corresponding 
to  different  scopes  for  the  names.  The  innermost-scope  interpretation  is  expressed  thus: 

Vx(ln(me,z,  #1)  ->  Ka.Vj/(ln(me,y,#5)  -*• 

Ky  Vz(ln(me,  z,  #1)  — >  NeedsHelp(^)))  j  (3.2) 

Each  occurrence  of  ‘me’  potentially  denotes  a  different  agent;  the  denotation  is  determined  by 
the  scope,  and  scope -boundaries  are  marked  by  occurrences  of  modal  operators.  For  example, 
the  last  ‘me’  is  in  the  scope  of  ‘IK,/  and  thus  has  the  same  denotation  as  ‘y’;  the  second  ‘me’ 
has  the  same  denotation  as  ‘x\  The  first  ‘me’  denotes  the  agent  in  whatever  world-agent  pair 
this  formula  is  interpreted  for  (which  we  have  not  specified).  Notice  that  the  second  instance  of 
‘#1’  does  not  necessarily  refer  to  the  same  agent  as  the  first  instance  does. 

There  are  multiple  possible  outer-scope  interpretations.  We  will  formalize  one  in  which  both 
instances  of  ‘#1’  refer  to  the  same  agent: 

Va;^ln(me,  x,  #1)  ->  Vy(ln(me,  y,  #5)  -> 

3X (ln(y,  me,  X)  A  Ky  Vz(ln(me,  z,  X)  — >  NeedsHclp(^))))  j  (3.3) 

Because  this  outer-scope  interpretation  does  not  say  how  “y”  (that  is,  the  agent  called  ‘#5’) 
refers  to  x  — just  that  it  does  refer  to  x  —  this  formula  must  hypothesize  some  name  f‘3A"’)  in 
order  to  describe  y’s  knowledge. 

(3.3)  also  shows  how  this  logic  resolves  the  issue  of  multiple  ways  of  referring:  after  ‘3X’,  the 
formula  could  have  included  material  that  says  more  about  X  —  for  example,  ‘IpAddress(X)’. 

3.6.3  Critique 

I  will  mention  one  issue  that  should  be  resolved  before  employing  the  logic:  the  role  of  con¬ 
stants  other  than  ‘me’  —  namely,  ‘a’,  ‘6’,  ‘A’,  ‘B\  etc.  In  the  semantics  of  Grove’s  logic  as 
well  as  traditional  quantified  modal  logic,  constants’  denotations  can  vary  from  world  to  world 
—  effectively,  they  always  have  innermost  scope.  Since  Grove’s  logic  provides  a  more  rigorous 
way  of  expressing  innermost- scope  interpretations,  what  purpose  do  constants  serve  in  the  lan¬ 
guage?  Interestingly,  in  most  of  Grove’s  examples  of  formulas  in  his  language  the  only  agent 
constant  is  ‘me’.  More  importantly,  the  denotations  of  name  constants  also  vary  by  world,  and 
this  seems  to  undermine  the  usefulness  of  formulas  like  (3.2),  because  otherwise  the  rigidity  of 
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the  name  constants  (e.g.,  ‘#1’)  would  enable  agents  to  reason  about  each  other’s  knowledge. 

As  mentioned  above,  Grove’s  logic  was  very  inspirational  for  the  mathematical  model  begun 
in  Chapter  5.  In  fact,  our  goal  in  that  chapter  will  be  to  create  a  model  that  could  form  a 
semantics  of  a  logic  like  Grove’s,  adapted  to  belief.  The  most  compelling  aspect  of  Grove’s 
logic  is  that  it  explicitly  deals  with  names  as  well  as  agents,  and  this  means  that  it  can  be  used  to 
describe  different  kinds  of  names  (such  as  the  kinds  mentioned  by  Kaplan).  The  ability  to  model 
subjective  knowledge  has  some  interesting  potential  as  well:  for  example,  if  agent  c  receives 
some  random  message  M,  what  better  way  is  there  to  represent  c’s  name  for  the  sender  than 
with  something  like  ‘the  agent  who  just  sent  me  M’? 


29 


THIS  PAGE  INTENTIONALLY  LEFT  BLANK 


30 


CHAPTER  4: 

Survey  of  Beliefs  in  Security  Protocols 


In  this  chapter,  we  will  consider  five  example  protocols.  For  each  example,  we  will  choose  one 
of  the  principals  and  then  consider  the  following  questions: 

•  What  belief  is  the  principal  supposed  to  have  at  the  end  of  a  run  of  the  protocol? 

•  What  assumptions  is  the  principal  supposed  to  make  as  a  participant  in  the  protocol? 

Before  we  consider  the  examples,  we  must  have  a  general  idea  of  the  relationships  between  a 
protocol’s  goals  and  the  principals’  beliefs. 

4.1  General  Model  of  Security  Protocols’  Goals 

A  security  protocol  is  designed  to  enforce  at  least  some  parts  of  a  security  policy,  which  usu¬ 
ally  includes  goals  that  fit  into  the  venerable  “CIA  Triad”  —  Confidentiality,  Integrity,  and 
Availability.  The  parts  of  the  security  policy  that  a  protocol  is  supposed  to  enforce  constitute 
the  protocol’s  security  goals.  We  consider  a  security  protocol  to  be  broken  when  we  discover 
that  there  is  a  (perhaps  hypothetical)  case  in  which  the  protocol  is  used  correctly  but  does  not 
achieve  its  security  goals. 

Security  goals  can  often  be  stated  in  terms  of  events  or  behaviors  rather  than  beliefs  or  knowl¬ 
edge  (e.g.,  confidentiality  of  some  message  M  can  be  defined  as  the  inability  of  an  unauthorized 
principal  to  send  M ).  For  example,  the  strand  space  method  ([40])  analyzes  protocols  purely 
in  terms  of  possible  sequences  of  events.  To  the  extent  that  a  protocol’s  security  goals  do  not 
involve  belief,  whether  that  protocol  is  broken  is  independent  of  what  any  principal  believes. 

However,  security  protocols  clearly  do  have  goals  that  involve  belief.  For  example,  as  Paul 
Syverson  ([32])  observed,  a  secure  key  is  not  much  good  to  me  if  I  do  not  believe  that  it  is 
secure.  In  general,  for  each  role  of  a  security  protocol,  there  is  a  set  of  goal  beliefs  such  that 
whoever  is  playing  that  role  is  supposed  to  end  up  with  those  beliefs  at  the  end  of  a  run  of  the 
protocol.  In  other  words,  one  of  the  goals  of  a  security  protocol  is  that,  at  the  end  of  a  run,  each 
principal  has  acquired  its  goal  beliefs.  Security  goals  and  goal  beliefs  are  distinct  but  related:  a 
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role’s  goal  belief  expresses  the  security  goals  that  are  important  to  whoever  is  playing  that  role. 
If  those  security  goals  have  not  been  achieved,  then  the  goal  belief  will  be  false. 

During  a  run,  principals  are  not  expected  to  acquire  their  goal  beliefs  out  of  thin  air;  rather, 
they  should  acquire  them  as  a  result  of  their  participation  in  the  run  and  of  beliefs  that  they 
held  before  the  run  began.  For  example,  a  principal  —  Bob  —  with  knowledge  of  asymmetric 
cryptography  and  the  belief  that  A  is  a  public  key  can  conclude,  after  observing  the  message 
M'  =  {]M[}x-i,  that  M'  was  made  by  someone  who  possessed  A-1.  If  Bob  also  believes  that 
Alice  is  the  only  principal  who  possesses  K~ 1 ,  then  he  can  also  conclude  that  Alice  created 
M' .  If  Bob  also  has  certain  beliefs  about  the  intended  interpretation  of  M'  in  the  context  of  the 
protocol,  then  he  can  conclude  that  Alice  wants  to  communicate  some  idea  or  proposition  that 
is  encoded  in  M .  In  general,  security-protocol  designers  assume  that  a  participant  starts  out 
with  a  particular  set  of  beliefs,  and  these  constitute  his  role’s  required  assumptions',  designers 
construct  the  protocol  so  that  the  participant  will  observe  a  sequence  of  events  that  causes  him 
to  infer  his  role’s  goal  beliefs. 

In  this  rest  of  this  chapter,  we  will  investigate  the  required  assumptions  of  some  example  proto¬ 
cols. 


4.2  Message  Authentication  with  Digital  Signatures 

Suppose  Alice  works  at  BigBank,  and  that  BigBank  signs  all  important  internal  email  messages 
with  private  key  I\XiX\  and  gives  its  employees  its  public  key  Abb  so  that  they  can  authenticate 
the  messages.  Whatever  the  particular  protocol  used  for  signing  email  messages,  it  has  the  form 
shown  in  Figure  4.1. 


BigBank 

Mi\Mi\ K~i 


Figure  4.1:  A  Simple  Email  Signature  Protocol  for  BigBank.  Mi  is  an  unsigned  email  message.  Mi  also  occurs 
outside  the  signature  so  that  the  recipient  can  verify  that  he  or  she  used  the  correct  public  key  to  check  the  signature. 


Suppose  the  run  shown  in  Figure  4.1  occurs  —  that  is,  Alice  receives  MX{\MX  .  Because  she 
has  Abb*  she  knows  that  the  term  following  the  first  instance  of  Mx  is  the  result  of  encrypting 
Mi  with  Kx>x\ .  For  this  run  of  the  protocol,  its  goal  is  to  convince  Alice  of  the  following: 
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Goal  Belief  4.2.1  (For  Alice).  Mi{]Mi[}k-i  was  sent  by  BigBank. 

Alice  must  start  with  some  assumptions  in  order  to  infer  this  belief.  There  are  many  possible 
assumptions  that  would  work,  but  it  is  reasonable  to  assume  that  Alice’s  role  in  the  protocol  is 
intended  to  be  filled  by  someone  making  assumptions  like  the  following: 

Assumption  Set  4.2.1  (For  Alice). 

1.  For  any  message  M  and  public  key  K,  if  I  receive  M  then  someone  with  I\  1 

sent  it. 

2.  Only  BigBank  has  A'BI' . 

There  are  some  important  differences  between  these  two  assumptions.  The  first  assumption  is 
about  the  protocol’s  cryptography,  and  if  it  is  ever  false  we  would  consider  the  protocol  to  be 
broken.  But  we  would  not  necessarily  consider  it  to  be  broken  if  the  second  assumption  is  false. 


Now  suppose  that,  instead  of  an  employee  of  BigBank,  Alice  is  a  customer.  A'bb  is  now  a 
public  key  that  BigBank  publishes  in  a  certificate  and  that  it  uses  for  communication  with  cus¬ 
tomers  (e.g.,  on  a  website).  In  general,  along  with  a  public  key,  a  certificate  contains  iden¬ 
tifying  information  such  as  a  name,  an  address,  and  an  email  address;  we  will  call  such  a 
collection  of  information  ‘an  identifier’.  For  any  identifier  N  and  public  keys  K\  and  K2,  we 
will  use  ‘sigcert(7V,  A'1,  K2)’  to  denote  the  certificate  containing  N  and  K\  and  signed  with 
Kf 1 .  Let  A’bb  be  the  identifier  on  BigBank’s  certificate.  Suppose  that  there  is  a  certification 
authority  Auth  whose  public  key  is  A'Auth  and  who  has  signed  BigBank’s  certificate  to  make 
sigcert(A’BB.  A'Bb,  A'Auth)-  Finally,  suppose  that  Alice  has  A'Au|1i.  The  protocol  (whatever  the 
details)  still  has  a  simple  form,  shown  in  Figure  4.2. 


BigBank 

A 

abb 

C=sigcert  ( NBB  Abb  ,  A'Auth ) 

Figure  4.2:  A  Simple  Email  Signature  Protocol  for  BigBank,  with  Certificate  Exchange.  Mi  is  an  unsigned  email 
message. 
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Suppose  such  a  run  occurs.  This  run  has  a  similar  goal  belief  to  the  first  one,  but  for  this 
kind  of  protocol  (specifically,  message-signature  protocols  relying  on  a  public-key  infrastruc¬ 
ture  (PKI)),  Alice  is  supposed  to  make  assumptions  like  the  following: 

Assumption  Set  4.2.2  (For  Alice). 


1.  For  any  message  M  and  public  key  K,  if  I  receive  M  then  someone  with  K  1 

sent  it. 

2.  For  any  identifier  A  and  public  key  K,  if  I  receive  sigcert  (. A ,  I\ .  K Auth)  then  Auth  believes 
that  only  the  principal  identified  by  A  has  K  1 . 

3.  For  any  identifier  A  and  public  key  K,  if  Auth  believes  that  only  the  principal  identified 
by  N  has  K~l,  then  only  the  principal  identified  by  N  has  K 

4.  The  principal  identified  by  Abb  is  BigBank. 

(Note  that  receiving  M§M$k-iC  counts  as  receiving  The  first  assumption  is 

about  the  protocol’s  cryptography.  The  second  assumption  says  that  sigcert  (A,  K,  K Auth)  is 
Auth’s  way  of  saying  that  it  has  a  certain  belief,  and  that  Auth  is  telling  the  truth  when  it  says 
this.  In  other  words,  the  second  assumption  says  that  Auth  is  honest.  The  third  assumption  says 
that  Auth’s  belief  is  true  —  in  other  words,  that  Auth  is  competent.  We  could  say  that  these 
two  assumptions  constitute  Alice’s  trust  in  Auth.  The  fourth  assumption  is  about  the  meaning 
of  the  name  ABB.  The  goal  is  achieved  when  Alice  applies  these  assumptions  to  infer  that 
Auth  believes  that  only  the  principal  identified  by  ABb  has  Ag  g ,  hence  that  only  the  principal 
identified  by  ABB  has  /iBB,  hence  that  only  BigBank  has  Agg,  and  finally  that  BigBank  sent 


In  this  example,  we  have  identified  two  categories  of  assumptions  —  assumptions  of  honesty 
and  assumptions  of  competence  —  that  constitute  trust  in  another  principal.  In  general,  many 
security  protocols  (and  all  protocols  that  use  “trusted  third  parties”  like  Auth)  will  have  such 
required  assumptions,  which  the  principals  must  accept  in  order  to  achieve  their  goals.  We  will 
look  at  the  required  assumptions  of  three  more  protocols,  but  first  we  should  consider  what 
these  assumptions  tell  us  about  a  protocol. 

It  may  be  that  the  cryptography  used  in  this  protocol  is  perfect;  nevertheless,  if  the  last  three 
assumptions  are  false,  Alice  could  still  end  up  in  an  insecure  position.  For  example,  the  protocol 
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can  guarantee  that  only  someone  with  sent  M{]M|}A-- 1,  but  it  cannot  guarantee  that  Big- 
Bank  did  not  share  with  someone  else.  These  assumptions  thus  create  risks.  Identifying  a 
protocol’s  required  assumptions  enables  us  to  understand  the  ways  in  which  it  might  fail  other 
than  by  being  broken. 

The  way  we  express  required  assumptions  affects  how  much  we  can  leam  about  the  ways  a 
protocol  might  fail.  If  we  are  imprecise,  we  might  underestimate  the  risk  of  using  the  protocol. 
Instead  of  Assumption  Set  4.2.2,  we  might  have  described  Alice’s  assumptions  thus: 

1.  For  any  message  M  and  public  key  K,  if  I  receive  M  {|  M  (}  K  i  then  someone  with  K  1 
sent  it. 

2.  For  any  principal  P  and  public  key  K,  if  Auth  says  that  only  P  has  K~l,  then  Auth 
believes  this. 

3.  For  any  principal  P  and  public  key  K,  if  Auth  believes  that  only  P  has  K~ 1 ,  then  it  is 
true. 

This  is  quite  concise  and  clearly  shows  the  assumption  of  honesty  and  the  assumption  of  com¬ 
petence.  Compared  to  Assumption  Set  4.2.2,  though,  it  leaves  some  important  questions  unan¬ 
swered,  such  as:  How  (i.e.,  with  what  message)  does  Auth  say  that  only  P  has  AT-1?  What 
name  does  Auth  use  for  PI  How  will  a  message  be  signed?  Even  without  knowing  it,  by  partic¬ 
ipating  in  the  protocol  Alice  will  effectively  assume  some  answers  to  these  questions,  and  she 
may  be  wrong. 

Consequences  of  Failure 

If  Alice’s  assumptions  are  false,  then  BigBank  might  not  have  sent  M  {|  M (}  i .  Alice  could 
end  up  sharing  her  banking  credentials  with  a  criminal,  which  is  clearly  bad.  But  PKI  proto¬ 
cols  like  this  one  can  be  used  in  other,  less  risky  ways.  Suppose  that,  when  Alice  communi¬ 
cates  with  BigBank  for  the  first  time  (using  this  protocol),  all  of  her  assumptions  are  true,  and 
when  finished  she  retains  BigBank’s  certificate,  perhaps  so  that  she  can  easily  encrypt  mes¬ 
sages  to  BigBank  with  BigBank’s  public  key.  Later,  Auth  is  somehow  compromised  and  makes 
sigcert(i\rBB,  Kp,  KAuth),  where  KP  is  the  public  key  of  an  attacker.  If  Alice  still  relies  on  Auth 
to  tell  her  what  BigBank’s  public  key  is,  then  she  is  in  trouble,  but  fortunately  she  just  continues 
to  use  K }>,}>,-  In  her  communications  with  BigBank,  she  no  longer  needs  to  trust  Auth  (or  at 
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least  she  does  not  need  to  believe  that  Auth  is  trustworthy  at  this  time),  because  now  her  only 
assumption  is  that  BigBank’s  public  key  is  A'Bb;  she  just  needs  to  trust  BigBank  to  protect  . 

4.3  OpenID 

4.3.1  For  Adult  Verification 

OpenID  ([41])  is  an  authentication  scheme  of  the  kind  advocated  by  the  While  House’s  NSTIC 
(discussed  in  the  beginning  of  Chapter  1).  The  main  function  is  to  enable  a  user  to  use  the 
same  name  to  log  into  multiple  (unaffiliated)  websites.  One  principal,  the  “identity  provider,” 
is  responsible  for  ensuring  that  only  that  user  can  use  his  or  her  ID  by,  for  example,  requiring 
the  user  to  ender  a  password.  Using  the  OpenID  protocol,  the  website  that  the  user  wants  to  log 
into  (the  “relying  party”)  interacts  with  the  user  and  the  identity  provider  so  that  the  identity 
provider  authenticates  the  user  and  then  tells  the  relying  party  that  the  user  was  authenticated, 
without  revealing  the  user’s  credentials  (usually  a  password)  to  the  relying  party. 

OpenID  can  also  be  used  to  exchange  information  about  a  user  when  the  protocol  is  combined 
with  an  extension  called  ‘Attribute  Exchange’  ([42]).  In  this  case,  the  identity  provider  happens 
to  be  an  authority  (at  least  in  someone’s  opinion)  about  some  aspects  (e.g.,  age)  of  its  clients, 
and  the  relying  party  happens  to  need  to  know  about  just  such  aspects.  The  user  can  have  the 
identity  provider  assert  to  the  relying  party  that,  for  example,  he  or  she  has  a  certain  age  or 
belongs  to  a  certain  security  group,  with  or  without  revealing  his  or  her  ID  to  the  relying  party. 
We  will  consider  an  example  of  this  way  of  using  OpenID. 

Forget  what  we  have  said  about  Alice,  BigBank,  and  Auth.  Now  suppose  that  Alice  is  a  potential 
customer  of  BigBank,  that  BigBank  requires  a  potential  customer  to  be  an  adult  in  order  to  open 
an  account,  and  that  Auth  is  an  identity  provider  that  is  willing  to  assert  that  Alice,  who  has  an 
ID  with  Auth,  is  an  adult.  Let  Na  be  Alice’s  ID.  With  Attribute  Exchange,  the  relying  party  tells 
the  identity  provider  what  attribute  it  wants  the  value  of,  and  then  the  identity  provider  responds 
with  that  value.  Suppose  there  is  an  attribute  —  we  will  call  it  ‘the  adulthood  attribute’  —  that 
indicates  whether  the  subject  is  an  adult;  its  possible  values  are  ‘true’  and  ‘false’. 

Suppose  that  the  run  shown  in  Figure  4.3  occurs.  OpenID  with  Attribute  Exchange  is  much 
more  complex  than  the  previous  two  protocols,  and  so  I  will  describe  each  step: 

1.  Alice  sends  BigBank  a  message  (Mnew_a cct)  that  says  that  she  would  like  to  open  an  ac¬ 
count,  along  with  Na,  which  is  her  OpenID  ID.  She  might  do  this  by  visiting  a  particular 
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Figure  4.3:  Using  OpenID  for  Adulthood  Verification 


URI  (e.g.,  ‘/createAccount’)  or  by  submitting  an  HTML  form;  in  any  case  ‘Mnew_ acct’ 
denotes  the  part  of  the  message  that  indicates  Alice’s  intention  to  BigBank. 

2.  BigBank  and  Auth  use  Diffie-Hellman  Key  Exchange  ([43])  to  agree  on  a  shared  key  K 
and  on  an  “association  handle”  H,  which  they  will  use  to  recognize  messages  belonging 
to  this  conversation. 

3.  BigBank  sends  Alice  HAadu it?,  which  she  is  supposed  to  forward  to  Auth.  Aaduit?  is  a 
string  that  requests  (in  accordance  with  the  Attribute  Exchange  specification)  the  value  of 
the  adulthood  attribute.  (Actually,  BigBank  includes  A’a  in  the  message  as  a  convenience 
to  Alice,  but  I  left  this  out  since  it  is  not  important  for  this  analysis.) 

4.  Alice  sends  N^H Aaduit?  to  Auth. 
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5.  Auth  somehow  authenticates  Alice  against  N\. 

6.  Auth  sends  Alice  the  message  NA /A4aduU=T {] NA HA.Ml=T [} K,  which  she  is  supposed  to 
forward  to  BigBank.  Aaduit=T  is  a  string  that  says  (again,  in  accordance  with  the  Attribute 
Exchange  specification)  that  the  adulthood  attribute’s  value  is  ‘true’. 

7.  Alice  forwards  NA // AaduU=T {] NA /7/4aduU=T [} K  to  BigBank. 

In  the  previous  sections,  we  considered  Alice’s  point  of  view.  Here,  we  will  consider  BigBank’s. 
What  is  the  goal  of  this  run  with  regard  to  BigBank?  That  is,  what  is  it  supposed  to  convince 
BigBank  of?  Consider  this  possible  formulation  of  the  goal  belief: 

Alice  is  an  adult. 

In  a  way,  this  is  correct;  indeed,  if  we  were  to  ask  Alice,  she  would  say  something  like  ‘The 
goal  is  to  convince  the  bank  that  I  am  an  adult’.  But  look  at  the  string  that  Auth  signed  and 
sent  (indirectly)  to  BigBank  —  N aH  A^u^t-  Na  is  not  necessarily  ‘Alice’,  and  BigBank  does 
not  necessarily  know  whom  NA  belongs  to.  It  is  true  that,  in  Goal  Belief  4.2.1,  we  used  the 
name  ‘BigBank’  in  describing  Alice’s  beliefs,  but  in  those  examples  Alice  starts  out  knowing 
BigBank  in  a  way  that  BigBank,  in  the  present  example,  may  not  know  Alice.  We  want  this 
protocol  to  work  even  if  BigBank  initially  knows  nothing  about  Alice,  but  in  such  a  case  it 
makes  no  sense  to  describe  the  belief  arising  from  NA  /-/Vladu|t=T  with  a  sentence  containing  the 
name  ‘Alice’.  Therefore,  a  better  formulation  of  the  goal  belief  is  this: 

Goal  Belief  4.3.1  (For  BigBank).  The  principal  whom  Auth  calls  NA  is  an  adult. 

Now  we  can  consider  BigBank’s  assumptions: 

Assumption  Set  4.3.1  (For  BigBank). 

1.  For  any  string  H,  OpenID  ID  N,  and  symmetric  key  K,  if  I  have  established  a  session  with 
Auth  whose  handle  is  H  and  whose  key  is  K,  then  if  I  receive  Nil  Aadull=Ti\  Nil  Aadldt=1f  K 
then  Auth  believes  that  the  principal  whom  it  calls  N  is  an  adult. 

2.  If  Auth  believes  that  some  principal  is  an  adult,  then  that  principal  is  an  adult. 
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As  in  Assumption  Set  4.2.2,  we  have  one  assumption  about  Auth’s  honesty  and  another  about 
Auth’s  competence. 

The  danger  for  BigBank  of  using  this  protocol  is  that  the  principal  whom  Auth  is  currently 
calling  N  is  not  an  adult.  The  risk  depends  on  the  consequences  of  BigBank  opening  an  account 
for  a  child;  they  are  probably  not  catastrophic.  But  in  the  next  subsection  we  will  look  at  what 
happens  if  BigBank  uses  OpenID  for  another  purpose. 

4.3.2  For  Authentication 

We  will  plausibly  extend  this  example  by  supposing  that  customers  can  log  into  BigBank’s 
website  using  their  OpenID  IDs  —  after  all,  BigBank  was  already  using  these  IDs  to  verify 
adulthood.  The  protocol  (Figure  4.4)  is  almost  the  same  as  before. 

Suppose  Alice  has  established  an  account  at  BigBank  and  now  uses  her  OpenID  ID,  NA,  to  log 
into  BigBank’s  website.  Suppose  the  run  shown  in  Figure  4.4  occurs  and  afterward  Alice  can 
access  her  account.  Again,  we  will  look  at  the  example  from  BigBank’s  point  of  view.  The 
goal  belief  must  induce  BigBank  to  let  Alice  access  her  account,  and  so  to  find  the  goal  belief 
we  must  consider  how  Alice  will  access  her  account.  Notice  that,  at  the  beginning  of  the  run, 
BigBank  sends  Alice  the  string  Asn>  this  is  a  tag  that  they  will  both  use  to  recognize  messages 
in  this  session  (perhaps  by  sending  it  back  and  forth  in  an  HTTP  cookie).  Thus  Alice  will  access 
her  account  using  AgID  as  a  session  ID.  Immediately  after  the  first  message  is  sent,  BigBank 
does  not  know  whom  it  is  talking  to,  but  it  does  have  a  name  for  this  principal:  A^m-  The  goal 
belief  must  attribute  some  property  cf)  to  the  principal  called  Asid  that  is  sufficient  (according  to 
BigBank’s  security  policy)  to  be  allowed  access  to  Alice’s  account.  It  therefore  must  have  the 
following  form: 

For  any  principal  x,  if  I  call  x  Asid  then  o(x). 

At  first  it  seems  obvious  that  (ft  is  the  property  of  being  Alice,  but  what  does  it  mean  to  say 
‘BigBank  believes  that  the  principal  called  Asm  is  Alice’  when  (as  we  discussed  above)  Big¬ 
Bank  probably  does  not  really  know  Alice?  Since  Alice’s  account  is  a  bank  account,  it  must 
include  a  set  D  of  data  —  such  as  Alice’s  full  name,  address,  and  even  Social  Security  number 
—  that  we  would  consider  to  be  “identifying”  in  that  there  is  a  conventional  and  objective  way 
of  interpreting  it  in  order  to  find  significant  artifacts  of  a  unique  person,  such  as  that  very  per¬ 
son,  that  person’s  house  or  family,  or  more  identifying  data  about  that  person.  So,  rather  than 
claiming  that  BigBank  requires  the  user  to  “be  Alice,”  we  can  claim  that  it  requires  the  user  to 
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Figure  4.4:  Using  OpenID  for  Authentication 


be  the  person  thus  identified  by  D  —  in  other  words,  to  be  the  person  whom  BigBank  calls  I). 
Perhaps  now  we  can  state  the  goal  belief: 

For  any  principal  x,  if  I  call  x  Asid  then  I  call  x  D. 


There  is  something  wrong  this  this  formulation,  however.  Notice  that  we  are  using  ‘call’  with 
two  different  senses.  To  be  “called  iVgID”  by  BigBank  is  not  to  be  described  by  iVSID,  since 
AgID  does  not  describe  anything  —  it  is  just  an  arbitrary  value.  Rather,  it  is  to  be  able  to 
send  messages  containing  Asid  to  BigBank,  and  whether  a  particular  principal  has  this  ability 
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depends  on  things  like  whether  Asm  was  encrypted  when  it  was  sent,  whether  Alice  has  shared 
iVSID,  and  so  on,  and  it  is  possible  to  imagine  anyone  having  this  ability,  just  as  it  is  possible 
to  imagine  that  our  solar  system  has  only  five  planets.  In  other  words,  it  is  contingent.  On  the 
other  hand,  to  be  “called  D”  by  BigBank  is,  effectively,  to  be  Alice,  because  a  world  where 
BigBank  calls  someone  else  D  makes  as  much  sense  as  a  world  where  BigBank  calls  an  integer 
other  than  9  ‘the  successor  of  8’.  Clearly  ASm  and  D  have  different  roles  in  this  interaction 
—  they  are  different  kinds  of  names  corresponding  to  different  meanings  of  ‘call’.  It  turns  out 
that  David  Kaplan  has  also  discovered  these  (and  other)  kinds  of  names.  In  Kaplan’s  terms  (cf. 
[29]),  D  is  a  “vivid  name”  that  “denotes”  Alice,  whereas  ASm  is  such  that,  if  BigBank  calls 
Alice  Asm,  then  Asm  is  “ of  ”  Alice,  but  it  never  “denotes”  Alice  because  it  has  no  “descriptive 
content.”  In  just  a  few  steps,  our  analysis  of  authentication  has  wondered  into  the  territory  of 
philosophy.  Going  deeper  than  this  would  lead  us  out  of  the  scope  of  this  thesis,  and  so  we 
will  just  acknowledge  the  two  meanings  of  ‘call’  and  distinguish  between  them  with  subscripts: 
‘calli’  will  indicate  that  the  name  in  question  is  non- vivid,  while  ‘call2’  will  indicate  that  it  is 
vivid.  We  thus  have  the  following: 

Goal  Belief  4.3.2  (For  BigBank).  For  any  principal  x,  if  I  call  i  x  Asm  then  I  call-2  x  D. 

(For  more  on  these  philosophical  issues,  cf.  [25],  [28],  and  especially  [29].) 

So  how  does  OpenID  achieve  this  goal?  When  Alice’s  account  was  created,  BigBank  associated 
Aa  with  it,  effectively  creating  the  policy  that  whomever  Auth  calls  NA  is  allowed  to  access 
the  account,  and  so  BigBank  must  believe  that  whomever  Auth  callsi  N\  BigBank  calls2  D. 
Which  sense  of  ‘calls’  holds  between  Auth  and  Aa?  OpenID  IDs  are  not  very  descriptive  (and 
certainly  not  as  descriptive  as  identifiers  like  D ),  and  so  it  seems  best  to  choose  ‘calls,’.  Thus 
all  the  protocol  needs  to  do  to  convince  BigBank  of  the  goal  belief  is  to  convince  BigBank  that 
whomever  it  callsi  Asm  Auth  callsi  Aa.  We  therefore  posit  that  BigBank  makes  the  following 
assumptions: 

Assumption  Set  4.3.2  (For  BigBank). 

1.  For  any  string  H,  OpenID  ID  N,  session  ID  Asm,  and  session  key  K,  if  I  have  established 
a  session  with  Auth  whose  handle  is  A  and  whose  key  is  K  and  if  I  have  sent  Asm  A,  then 
if  I  receive  Asm  Aa  A  {|  NA II  |}  K  then  whomever  I  calli  Asm  Auth  callsi  Aa. 

2.  For  any  principal  x,  if  Auth  callsi  x  NA  then  I  call2  x  D. 
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If  the  distinction  indicated  with  the  subscripts  on  ‘calls’  seems  too  academic,  try  formulating 
Goal  Belief  4.3.2  with  only  one  sense  of  ‘calls’.  We  could  use  only  ‘callx’,  resulting  in  this: 

For  any  principal  x,  if  I  calli  x  Ns m  then  I  calli  x  D.  (4.1) 

Now,  imagine  that,  instead  of  Alice,  an  attacker  plays  her  role,  gets  the  session  ID  A^SID  from 
BigBank,  and  sends  Nsir>N\  to  BigBank;  and  then  Auth  messes  up  for  some  reason  and  calls  | 
the  penetrator  N\,  so  that  BigBank  allows  the  penetrator  to  access  Alice’s  account.  Does  this 
make  (4.1)  false?  BigBank  is  certainly  calling,  the  penetrator  D,  and  thus  the  consequent  is 
true;  therefore  BigBank  cannot  be  accused  of  having  a  false  belief.  (4.1)  thus  fails  to  capture 
BigBank’s  security  policy.  Alternatively,  we  could  use  just  ‘call2’  to  formulate  the  goal  belief, 
but  then  the  antecedent  would  never  be  true  because  names  like  A(std  (which  is  just  an  arbitrary 
value)  have  no  meaning.  So  we  see  that  we  must  make  this  distinction  between  kinds  of  names 
in  order  to  understand  BigBank’s  goal  belief. 

Consequences  of  Failure 


Figure  4.5:  Using  OpenID  for  Authentication,  with  Dishonest  Auth 


There  are  many  ways  in  which  these  assumptions  could  be  false,  and  many  of  them  can  be 
found  with  a  deeper  discussion  of  the  relations  denoted  by  ‘callsi’  and  ‘calls2’  (along  the  lines 
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of  [29]).  Here,  I  will  just  mention  that,  obviously,  one  general  way  is  that  Auth  callsi  someone 
other  than  Alice  NA.  To  be  concrete,  suppose  Auth  calls!  itself  NA .  The  run  is  now  as  shown 
in  Figure  4.5. 

This  is  similar  to  a  failure  of  PKI-based  protocols  in  which  the  authority  signs  a  bad  certificate. 
But  the  interesting  thing  is  how  the  consequences  in  the  present  case  differ  from  those  in  the 
PKI  case.  The  potential  damage  caused  by  Auth’s  mischief  in  the  PKI  case  is  serious,  but  it 
is  at  least  limited  by  the  fact  that  it  does  not  provide  the  attacker  access  to  data  encrypted  with 
the  legitimate  public  key  and  it  does  not  hurt  Alice  if  she  always  trusts  the  legitimate  public 
key  instead  of  relying  on  Auth.  In  the  present  case,  Auth’s  mischief  results  in  Auth  having 
complete  access  to  Alice’s  account;  BigBank  and  Alice  thus  utterly  depend  on  Auth’s  honesty 
and  competence. 


4.4  Anonymous  Adulthood  Verification 

Finally,  we  will  consider  a  security  protocol  called  ‘AdultVerify’,  for  which  it  is  almost  impos¬ 
sible  to  ignore  names  when  formulating  the  required  assumptions.  I  invented  this  protocol  to 
use  as  an  example  in  this  thesis.  It  has  not  been  rigorously  reviewed  by  anyone;  although  I  think 
that  it  is  secure,  it  may  be  broken  and  therefore  should  not  be  used.  However,  I  believe  that,  if  it 
is  broken,  any  changes  needed  to  fix  it  would  not  falsify  the  analysis  presented  in  this  section. 

AdultVerify’s  purpose  is  very  similar  to  that  of  the  first  OpenID  example:  to  convince  a  server 
that  a  client  is  an  adult  using  an  assertion  from  an  authority.  The  difference  is  that  the  client 
does  not  want  the  server  to  know  who  he  or  she  is,  and  does  not  want  the  authority  to  know  that 
he  or  she  is  using  the  server’s  service.  This  “anonymity  requirement”  cannot  be  satisfied  with 
OpenID. 

Applying  AdultVerify  to  Alice,  BigBank,  and  Auth  results  in  the  run  shown  in  Figure  4.6. 
Again,  BigBank  allows  only  adults  to  create  accounts.  The  goal  is  for  Alice  to  establish  an 
account  with  BigBank,  under  a  username  (Ax)  provided  by  BigBank.  Ax  might  be  sensitive, 
and  so  it  must  not  be  revealed  to  Auth;  therefore  BigBank  must  encrypt  it  before  sending  it  to 
Alice.  At  the  beginning  of  the  run,  Alice  and  BigBank  establish  a  temporary  encryption  session 
with  session  ID  Asid  and  symmetric  key  /Cih-  which  is  created  through  Diffie-Hellman  Key 
Exchange.  (If  you  are  not  familiar  with  Diffie-Hellman  Key  Exchange,  you  just  need  to  know 
that  in  Diffie-Hellman  two  principals  send  each  other  (unencrypted)  integers  from  which  they 
can  compute  a  symmetric  key;  the  “magic”  is  that  only  those  two  principals  can  compute  that 
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key,  even  if  a  penetrator  intercepted  both  of  the  exchanged  integers.) 


Auth  Alice  BigBank 


\NA  P  {JVx}jrdhJirA 


Av 


Figure  4.6:  Using  AduitVerify. 
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The  run  is  as  follows: 

1 .  As  the  first  step  in  Diffie-Hellman  Key  Exchange,  Alice  picks  and  sends  the  integer  d\ . 

2.  BigBank  sends  d2  {]{]rfi  d2fyK-i  N$m  Nx[ }irdh-  d2  is  BigBank’s  half  of  Diffie-Hellman, 
and  Kdh  is  the  symmetric  key  made  from  d\  and  d2.  In  the  encrypted  part  of  the  message, 
did2  is  signed  with  BigBank’s  private  key  KB^,  and  ASID  and  Nx  are  nonces  that  Big¬ 
Bank  generated.  ATsid  will  be  used  as  the  session  ID,  and  Nx  will  be  Alice’s  username. 

3.  Alice  now  must  prove  that  she  is  an  adult  to  BigBank.  She  sends  {\NA  P  {|Arx|}/Xl(l  |}/\'A 
to  Auth.  /i  a  is  Auth’s  public  key  for  encryption;  NA  is  the  ID  Alice  uses  with  Auth,  and 
P  is  her  password.  If  Auth  believes  that  she  is  an  adult,  it  will  sign  {]  Nx  [}  k,u<  with  the 
private  key  K^l ,  which  it  uses  only  for  this  purpose. 

4.  Auth  verifies  the  ID  NA  and  the  password  P,  and  because  it  believes  that  Alice  is  an  adult, 
it  sends  her  ^A^^Jat1- 

Av 
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5.  Alice  forwards  {KlAx^^-i  t0  BigBank  by  sending  ASiD  {\Z  flflAx|}jrdh|}jr-i|}jrdh. 

Av  Av 

Z  is  a  nonce  that  Alice  chooses  at  this  point. 

6.  BigBank  acknowledges  Alice’s  message  by  sending  back  the  nonce  Z. 


We  will  consider  this  run  from  BigBank’s  point  of  view.  As  in  the  first  OpenID  example, 
BigBank’s  goal  belief  is  something  like  ‘The  principal  whom  I  call  X  is  an  adult’.  At  the  end 
of  the  run,  BigBank  has  two  names  for  the  principal  with  whom  it  is  communicating:  Ns ID 
and  Nx-  As  in  the  first  OpenID  example,  Asm  is  just  a  temporary  name,  and  we  want  the  goal 
belief  to  refer  to  a  permanent  name,  like  jVx.  Ax  is  not  a  descriptive  name,  and  so  ‘call!’  is 
more  appropriate  than  ‘call2’.  We  thus  get  the  following  formulation: 

Goal  Belief  4.4.1  (For  BigBank).  The  principal  whom  I  calf  Nx  is  an  adult. 


One  of  the  required  assumptions  is  that  Auth  is  right  when  it  thinks  that  someone  is  an  adult.  The 
other  one  is  an  interpretation  of  a  class  of  messages  —  namely,  messages  like  {|  {|  Ax|}  Kdh  [}x-  i 
—  as  Audi’s  way  of  saying  that  it  thinks  someone  in  particular  is  an  adult.  In  the  first  OpenID 
example,  BigBank  knows  which  name  Auth  will  use  for  the  client  —  namely,  Nx  —  and  so  it  is 
accurate  for  BigBank  to  attribute  the  belief  ‘The  principal  whom  I  call  Nx  is  an  adult’  to  Auth, 
but  in  the  current  example  BigBank  does  not  know  N\.  Therefore  the  assumption  should  not 
say  anything  about  the  name  that  Auth  uses  to  refer  to  the  client. 

Assumption  Set  4.4.1  (For  BigBank). 


1.  If  during  a  run  of  this  protocol  in  which  N  is  the  username  and  K  is  the  session  key 
I  receive  {|  {|  A|}x|}  ,c-i,  then  the  principal  whom  1  calf  N  is  believed  by  Auth  to  be  an 

Y  Av 

adult. 

2.  If  Auth  believes  that  some  principal  is  an  adult,  then  that  principal  is  an  adult. 


In  the  first  assumption,  it  would  be  misleading  to  attribute  the  belief  ‘The  principal  whom 
BigBank  calls  N  is  an  adult’  to  Auth,  because  the  protocol  is  designed  so  that  Auth  does  not 
know  N  and  is  even  unaware  of  BigBank’s  involvement. 
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4.5  Discussion 

We  have  seen  that  even  simple  protocols  like  the  second  message-signature  protocol  can  require 
non-trivial  assumptions.  In  general,  these  assumptions  fall  into  the  following  (overlapping) 
categories: 

1.  Assumptions  about  the  meaning  of  a  message. 

2.  Assumptions  about  the  use  of  a  name  or  class  of  names. 

3.  Assumptions  asserting  the  honesty  of  a  principal. 

4.  Assumptions  asserting  the  competence  of  a  principal. 

Assumptions  of  the  last  two  categories  are  usually  more  obvious  than  assumptions  of  the  first 
two.  To  fully  understand  the  risks  of  using  a  protocol,  our  formulation  of  the  required  assump¬ 
tions  should  be  precise  enough  to  include  those  in  the  first  two  categories.  But,  as  we  have  seen, 
doing  so  can  take  us  into  tricky  philosophical  territory.  Surprisingly,  there  is  a  body  of  work 
in  the  philosophy  of  language  going  back  more  than  a  hundred  years  that  is  quite  relevant  to 
computer  security  protocols.  Of  course,  from  the  beginning  computer  science  has  had  a  num¬ 
ber  of  significant  connections  to  philosophy,  and  so  perhaps  we  should  not  be  surprised  by  yet 
another. 

Most  of  the  formulations  of  the  goal  beliefs  and  required  assumptions  in  this  chapter  have 
resulted  in  convoluted  sentences,  and  the  cause  has  been  our  determination  to  explicitly  state 
assumptions  about  the  use  of  names.  It  is  easier  to  express  these  beliefs  and  assumptions  using 
a  formal  language.  We  could  then  come  up  with  some  formal  inference  rules  and  use  them 
to  show  that  the  goal  beliefs  follow  from  the  assumptions.  But  proper  use  of  a  formal  logic 
requires,  in  Paul  Syverson’s  words,  “an  independently  motivated  semantics”  ([32,  p.  165]), 
which  in  turn  requires  a  model  of  our  problem  domain.  In  the  next  chapter,  we  take  a  step  toward 
developing  a  model  of  security  protocols  like  those  considered  here  that  includes  principals’ 
beliefs  and  their  use  of  names,  and  we  show  how  this  model  could  be  used  as  the  basis  of  a 
formal  logic. 
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CHAPTER  5: 

Toward  a  Mathematical  Model 


5.1  A  Running  Example:  Simple AdultVerify 

Suppose  we  have  a  very  simple  protocol  called  ‘Simple  Adult  Verify’  with  which  some  authority 
can  reliably  send  unforgeable  assertions  about  people’s  ages.  Specifically,  SimpleAdultVerify 
has  two  roles,  Auth  and  Client,  and  a  run  consists  of  Auth  sending  Client  a  message  saying  either 
that  some  person  is  an  adult  or  that  Auth  does  not  know  whether  some  person  is  an  adult.  (Auth 
does  not  keep  track  of  who  is  not  an  adult.)  Client  would  be  an  online  application  that  needs 
to  restrict  access  to  certain  age-groups.  An  assertion  from  Auth  must  be  about  some  person, 
and  it  must  refer  to  that  person  by  some  name  that  is  meaningful  to  both  Auth  and  Client.  We 
will  assume  that  SimpleAdultVerify  is  used  in  an  environment  in  which  every  principal  has  at 
most  one  name  and  everybody  knows  to  whom  these  names  refer.  For  simplicity,  we  will  also 
assume  that  Auth  always  serves  only  one  Client,  and  so  it  does  not  need  to  keep  track  of  who 
sent  what  query. 

In  this  chapter,  we  will  attempt  to  build  a  model  of  an  application  of  SimpleAdultVerify  to  a 
world  containing  four  principals  —  a,  c,  j,  and  k.  a  plays  the  role  Auth,  c  plays  Client,  and 
j  and  k  do  not  play  any  role.  When  we  make  an  important  decision  about  the  model,  we  will 
express  it  as  a  “postulate.”  Our  first  postulate  expresses  the  goal  of  this  protocol: 

Postulate  5.1  (Successful  Runs  of  SimpleAdultVerify).  A  run  of  SimpleAdultVerify  is  successful 
if  and  only  if  there  exists  a  name  N  such  that  exactly  one  of  the  following  is  true: 


•  Throughout  the  run  a  believes  that  the  principal  named  N  is  an  adult,  and  at  the  end  so 
does  c. 

•  Throughout  the  run,  a  does  not  know  whether  the  principal  named  N  is  an  adult  and  c 
does  not  change  its  belief  about  it. 


The  questions  that  we  want  our  model  to  answer  are  the  following:  What  assumptions  does  c 
have  to  make  for  a  run  to  be  successful?  How  do  principals’  beliefs  change  during  a  run? 
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5.2  Modeling  Actions 

In  this  section,  we  will  build  a  model,  Ssav ,  of  all  the  ways  the  principals  can  interact  in  our 
application  of  Simple  Adult  Verify  —  that  is,  all  the  possible  runs  of  the  protocol  application. 

Ssav  is  an  example  of  a  kind  of  model  that  we  will  call  ‘a  protocol  system’.  Following  the 
multi-agent  system  approach  (cf.  Section  2.1),  a  protocol  system  models  a  protocol  application 
as  a  system  of  principals  with  finite  local  states.  Runs  are  sequences  of  global  states,  and  each 
transition  corresponds  to  one  or  more  exchanges  of  messages  prescribed  by  the  protocol.  Our 
current  task  consists  of  two  steps:  defining  the  structures  of  the  principals’  local  states,  and 
defining  the  transition  function.  We  will  depart  from  the  standard  way  of  defining  multi-agent 
systems  by  requiring  that  runs  be  finite;  runs  of  security  protocols  usually  have  a  definite  ending, 
and  it  is  often  useful  to  refer  to  the  system’s  state  at  this  ending. 

Definition  1.  A  protocol  system  is  a  tuple  ( V .  T ,  C.  TV)  where 

•  V  is  the  set  of  principals  in  the  system. 

•  T  is  the  set  of  texts. 

•  For  each  p  e  V,  there  exists  a  set  Lp  e  C,  which  is  the  set  of  all  possible  local  states  ofp. 

•  1Z  is  a  set  of  runs. 

Let  Ssav  =  (' P ,  T,  C.  71).  In  the  rest  of  this  section,  we  will  specify  the  details  of  Ssav-  We 
can  start  with  two  obvious  ones: 

Postulate  5.2  ( Ssav’s  Principals).  V  =  {a,  c,j,  k} 

Postulate  5.3  (Local-State  Sets).  C  =  {La,  Lc,  Lj,  Lk} 

Now  we  consider  the  principals’  local  states.  For  most  protocol  applications,  there  is  no  single 
right  way  to  design  the  local  states  and  the  transition  function;  the  usefulness  of  a  given  design 
will  depend  on  the  interpretation  the  analyst  gives  to  the  principals’  local  states.  While  there 
are  often  many  alternative  designs,  we  will  construct  Ssav  in  accordance  with  the  following 
principle:  a  principal’s  local  state  only  represents  previous  or  potential  behavior,  in  accordance 
with  the  protocol,  of  that  principal.  In  particular,  a  local  state  must  not  be  intended  to  indicate 
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how  data  is  stored  by  the  principal  or  the  principal’s  beliefs.  When  defining  the  structure  of 
a  local  state,  it  is  a  good  idea  to  provide  a  behavioral  interpretation  for  each  element  of  the 
structure.  Since  a  principal’s  behavior  or  history  will  always  involve  messages  that  are  sent  or 
received,  their  local  states  will  include  sets  of  or  relations  over  texts.  The  possible  texts  are 
specified  in  the  protocol  system  with  T . 

We  start  with  the  local  states  of  a.  Clearly,  a’s  local  states  must  contain  a  set  adult  Names 
of  names  of  principals  whom  a  would  affirm  to  be  adults  (notice  that  I  did  not  write  ‘whom  a 
believes  to  be  adults’).  adultN ames  will  not  change  during  a  run.  We  also  add  a  set  queries 
of  names  contained  in  queries  sent  by  c  that  a  has  not  yet  responded  to.  Since  we  are  assuming 
that  c  is  the  only  principal  that  sends  queries  to  a,  we  do  not  need  queries  to  keep  track  of  the 
sender.  So,  we  make  the  following  postulate: 

Postulate  5.4  (a’s  Local  States).  Every  local  state  in  La  consists  of  the  following  elements: 


•  adultN  ames  C  T:  the  set  of  names  of  the  principals  whom  a  would  assert  to  be  adults. 

•  queries  C  T:  the  set  of  names  of  the  principals  about  whom  c  has  queried  but  a  has  not 
yet  sent  an  assertion. 


(Notice  that  we  give  a  behavioral  interpretation  for  each  element.) 

We  now  specify  the  structures  of  the  local  states  of  the  other  principals  in  a  similar  manner,  c’s 
behavior  is  to  send  a  query  and  then  receive  the  response: 

Postulate  5.5  (c’s  Local  States).  Every  local  state  in  Lc  consists  of  the  following  elements: 


•  queriesT  oSend  C  T:  the  set  of  names  about  which  c  will  ( in  the  current  or  another  run ) 
send  a  query. 

•  asserted  AdultN  ames  C  T:  the  set  of  names  of  principals  whom  a  has  asserted  to  be 
adults. 


j  and  k  have  no  prescribed  behavior  and  therefore  always  have  empty  local  states: 
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Postulate  5.6  (j’s  and  k' s  Local  States).  Lj  =  Lk  =  {()} 


Having  specified  the  structures  of  the  principals’  local  states,  we  now  specify  the  set  TZ  of  runs 
of  the  system.  Runs  consist  of  global  states,  and  a  global  state  is  a  tuple  (sa,  sc,  (),  ())  where 
sa  G  La  and  sc  G  Lc  (the  last  two  elements  are  j’s  and  k’s  local  states,  which  are  always 
empty).  Each  run  consists  of  two  steps:  (1)  c  sends  a  query  to  a  containing  some  name,  and 
(2)  a  responds  either  that  the  named  principal  is  an  adult  or  that  a  does  not  know  whether 
the  named  principal  is  an  adult.  Just  as  for  local  states,  there  are  various  reasonable  ways  to 
specify  1Z  that  differ  in,  for  example,  the  allowed  initial  states  or  the  allowed  lengths  of  the  runs. 
The  following  is  the  least  restrictive  way  that  works  with  the  postulates  above  and  captures  the 
principals’  behavior: 

Postulate  5.7  (Runs).  7 Z  consists  of  all  runs  r  of  length  3  that  satisfy  the  following: 


•  There  exists  a  text  X  in  T  such  that  rc(l) .queriesTo Send  =  r c(0)  .queriesT oS end  \  {X} 
and  ra(l). queries  =  ra(0). queries  U  {X};  r(0)  and  r(l)  are  the  same  in  other  respects. 

•  There  exists  a  text  X  in  T  such  that  r a(2). queries  —  ra(l). queries  \  {X}, 
X  G  ra(l)  .adultN  ames  (and  ra(l)  .adultN  antes  =  ra(2). adult  Names),  and 
rc(2) .asserted AdultN ames  =  rc(l) .asserted AdultN ames  U  {X"};  r(l)  and  r( 2)  are 
the  same  in  other  respects. 

We  have  now  completely  specified  Ssav-  Figure  5.1  shows  a  run  of  Ssav- 


r*(  0) 


adultNames  =  {"joe"} 
queries  =  { } 


queriesToSend  =  { "j  oe" } 
assertedAdultNames  =  {} 


O  O 

j  k 


;■*(!) 


adultNames  =  {"joe"} 
queries  =  {"joe"} 


queriesToSend  =  {} 
assertedAdultNames  =  { } 


O 

j 


o 

k 


r*(2) 


r 

adultNames  =  {' 
^ queries  =  {} 

'joe"}^ 

J 

1 

a 

^queriesToSend  =  {} 

^ assertedAdultNames 

=  {"joe"}> 

\ — 

c 

O 

j 

O 

k 

j 

Figure  5.1 :  A  run  of  Ssav  in  which  c  asks  a  whether  the  principal  called  ‘joe’  is  an  adult  and  a  replies  that  he  is. 
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5.2.1  A  Formal  Language 

Although  a  model  like  Ssav  is  a  useful  description  of  a  protocol  application,  it  is  often  easier  to 
use  a  formal  language  whose  semantics  is  defined  in  terms  of  such  models.  We  could  adapt  the 
quantified  modal  language  developed  by  Adam  Grove  ([10];  cf.  Section  3.6)  for  this  purpose. 
Consider  r*  in  Figure  5.1  to  see  how  we  might  do  this.  Suppose  our  language  has  a  predicate- 
symbol  for  each  element  of  a  local  state  —  for  example,  the  predicate-symbol  ‘AdultName’ 
corresponds  to  the  set  adultN antes  in  a’s  local  state.  Just  as  Grove’s  logic  is  multi-sorted,  our 
language  has  two  sorts:  principals  and  texts.  V  is  the  domain  of  sort  principal,  and  T  is  the 
domain  of  sort  text.  Constants  of  sort  text  are  made  with  quotation  —  for  example,  ‘ ' joe ' ’ 
is  a  constant  that  denotes  the  text  ‘joe’.  As  with  Grove’s  logic,  all  text-sort  variables  are  upper¬ 
case,  and  all  principal-sort  variables  and  constants  are  lowercase.  Formulas  in  the  language  are 
satisfied  by  points,  but  otherwise  satisfaction  (‘k’)  is  defined  in  the  manner  standard  for  quan¬ 
tified  modal  languages  (cf.  Section  2.3),  except  that  for  now  we  ignore  formulas  with  modal 
operators.  We  get  the  following: 

(r*,0)  k  ‘  AdultName('  joe  ')’ 

(r*,  0)  k  ‘  QueryToSend('  joe  ')’ 

(r*,2)  k  ‘  AssertedAdultName('  joe  ')’ 

(r*,2)  k  ‘-<3X  Query ToSend (26)’ 

5.2.2  Limits  of  the  Model 

Notice  that,  although  the  interpretations  of  the  local  states  in  r*  capture  all  the  important  behav¬ 
ior,  they  still  leave  a  lot  out.  For  example,  they  do  not  tell  us  whom  ‘joe’  denotes  or  whether 
that  person  is  actually  an  adult.  They  also  do  not  tell  us  anything  about  the  beliefs  of  any  of  the 
principals.  In  the  next  section,  we  will  enhance  our  model  so  that  it  represents  the  principals’ 
beliefs  and  aspects  of  the  world  that  are  outside  of  the  protocol  but  nevertheless  relevant  (e.g., 
adulthood). 

5.3  Modeling  Beliefs 

The  concept  of  ‘protocol  system’  presented  in  the  previous  section  enables  us  to  describe  a 
protocol  in  terms  of  the  actions  of  principals  without  assuming  too  much  about  how  it  is  imple¬ 
mented.  It  views  principals  only  as  things  that  can  compute  and  exchange  messages.  It  does 
not,  by  itself,  enable  us  to  understand  how  a  protocol  achieves  its  goals  —  that  is,  how  princi- 
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pals  come  to  possess  their  goal  beliefs.  There  are  in  fact  two  related  problems  with  Ssav  (and 
protocol  systems  in  general),  which  I  mentioned  at  the  end  of  the  last  section:  (1)  it  leaves  out 
important  aspects  of  the  world,  such  as  the  set  of  adults  and  the  assignment  of  names,  and  (2)  it 
does  not  represent  principals’  beliefs. 

In  this  section,  we  will  use  ideas  from  modal  logic  and  the  multi-agent  systems  approach  to 
confront  these  problems  and  create  a  new  model  BSav  by  modifying  Ssav ■  This  will  provide 
us  with  a  good  solution  for  the  first  problem  (Subsection  5.3.1),  but  leads  to  some  new  problems 
when  applied  to  the  second  (Subsection  5.3.2).  This  section  ends  with  a  discussion  of  these  new 
problems. 

5.3.1  Modeling  Other  Aspects  of  the  World 

Bsav  will  be  an  expansion  of  Ssav-  We  can  solve  the  first  problem  by  including  relevant 
external  aspects  of  the  world  in  the  local  state  of  a  new  “pseudo-principal”  e  that  represents  the 
environment  in  which  a  run  occurs.  With  e’s  local  states,  we  can  model  who  the  adults  are  and 
who  has  what  name.  As  we  did  for  the  other  principals,  we  must  define  a  set  Le  of  the  possible 
local  states  of  e: 

Postulate  5.8  (e’s  Local  States).  Every  local  state  in  Le  consists  of  the  following  elements: 

•  adults  C  V:  the  set  of  adults 

•  nameOf:  V  — >  T:  the  assignment  of  names  (a  partial  function) 

We  call  the  members  of  Le  ‘environment  states’.  Unlike  our  specifications  of  the  local  states 
of  the  other  principals,  we  do  not  need  to  provide  a  behavioral  interpretation  of  the  elements  of 
environment  states,  because  the  environment- state  does  not  (necessarily)  determine  behavior.  It 
is  just  a  model  of  aspects  of  the  world  external  to  the  protocol  application. 

The  set  7 Z  of  runs  in  Bsav  is  the  same  as  in  SSav  (cf.  Postulate  5.7),  except  that  the  global 
states  include  environment  states.  Within  a  run,  only  a’s  and  c’s  local  states  change.  An  example 
is  shown  in  Figure  5.2. 

5.3.2  Modeling  Beliefs 

In  this  section,  we  add  aspects  of  relational  Kripke  structures  to  SSav  in  order  to  model  the 
beliefs  of  the  principals.  (For  an  overview  of  relational  Kripke  structures,  cf.  Section  2.3.) 
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f  \ 

— . 

r  \ 

/  \ 

adultNames  =  {"joe"} 
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e 

L _ _ _ J 

Figure  5.2:  A  run  of  BSav  in  which  c  asks  a  whether  the  principal  called  ‘joe’  is  an  adult  and  a  replies  that  he  is. 


Postulate  5.9.  BSav  =  (P,  P,  C.  TZ,  VV.  B)  where 

•  V  =  {a,  c,j,  k} 

•  T  is  the  set  of  texts. 

•  B  {Ta,  Lc,  Lj,  Lej 

•  TZ  the  same  as  in  Ssav,  except  that  the  global  states  include  environment  states. 

•  VV  is  the  set  of  possible  worlds. 

•  B  =  {Ba,  Bc,  Bj ,  Bk},  and  Bj  C  VV  x  Vd  for  each  i  in  V 

What  exactly  should  be  in  W?  In  the  multi-agent  system  approach  (which  is  concerned  with 
knowledge  rather  than  belief),  W  is  the  set  of  all  points  (r,  t).  The  “meaning”  of  a  world  (r,  t) 
—  that  is,  the  set  of  propositions  that  are  satisfied  by  that  world  —  comes  from  the  global 
state  r(t).  Even  if  the  set  of  global  states  is  finite,  the  set  of  points  is  infinite  because  runs 
are  infinitely  long.  Because  this  approach  is  used  to  model  agents’  knowledge  rather  than 
beliefs,  each  accessibility  relation  Kt  is  simply  defined  to  include  exactly  those  pairs  of  points 
((r,  t),  ( r',t '))  where  agent  i  has  the  same  local  state  in  r(t)  and  r'(t').  If  we  were  to  do  the 
same  thing  with  BSav >  W  would  be  7Z  x  {1,  2,  3}  (because  all  runs  have  a  length  of  3).  For 
now,  we  just  take  W  to  be  the  set  of  global  states  —  that  is,  W  =  La  x  Lc  x  Lj  x  Lk  x  Le  — 
and  focus  on  the  belief-relations. 
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In  particular,  consider  Bc  —  c’s  belief-relation  —  and  how  it  should  model  c’s  beliefs  during 
run  r*  (Figure  5.2).  At  the  end  of  the  run  —  that  is,  in  r*  (2)  —  c  should  believe  that  the  principal 
called  ‘joe’  is  an  adult.  This  would  be  modeled  by  imposing  the  following  condition: 

For  any  w  inW  such  that  (r*(2),  w)  G  Bc, 

for  any  p  in  V  such  that  w:nameOf(p )  =  ‘joe’,  p  G  w. adults.  (5.1) 

Figure  5.3  shows  a  very  small  part  of  what  Bc  might  look  like  if  it  satisfied  this  condition.  A 
very  nice  feature  of  this  model  is  that  it  clearly  shows  the  difference  between  a  name  and  the 
principal  it  denotes,  and  between  a  principal’s  beliefs  and  the  real  world.  This  model  highlights 
the  fact  that  principals  know  what  messages  they  sent  and  received,  but  are  still  “stuck  in  their 
own  heads”;  to  believe  something  about  the  rest  of  the  world  (e.g.,  about  the  environment  state) 
requires  an  assumption,  which  could  be  false. 


Figure  5.3:  A  Small  Sample  of  Bc. 


54 


It  seems  that  we  could  develop  this  model  into  something  like  Rangan’s  (Section  3.1)  that  cap¬ 
tures  the  assumptions  c  must  make  about  a’s  honesty  and  competence,  as  well  as  its  knowledge 
in  r*( 2)  that  a  asserted  that  the  principal  called  ‘joe’  is  an  adult.  We  then  would  no  longer  need 
to  explicitly  impose  (5.1)  because  the  goal  belief  would  logically  follow.  We  could  expand  the 
formal  language  begun  in  Subsection  5.2.1  into  a  modal  language,  add  axioms  and  inference 
rules  appropriate  for  modal  logics  of  belief,  and  then  construct  a  formal  proof  of  the  goal  be¬ 
lief  from  the  assumptions.  To  represent  c’s  assumption  of  a’s  honesty,  we  would  impose  this 
condition: 

For  any  w  in  W  such  that  (r*(2),  w)  £  B,  and  any  X  in  T, 

if  X  £  w. asserted  Adult  Names  then,  for  any  w'  in  W  such  that  (w,  vj ')  £  Ba, 

for  any  p  in  V  such  that  w'.nameOf(p)  =  X,  p  £  vJ .adults. 

This  is  a  mouthful,  and  so  we  would  express  it  with  the  formal  language,  perhaps  thus  (cf.  the 
definition  of  ‘1=’  for  formulas  with  modal  operators  in  Section  2.3): 

Bc MX ^AssertedAdultName(Ai)  — ■>  Ba  Vy(NameOf(y,  X)  — >  Adult  (y))  j  (5.2) 

We  would  impose  a  similar  condition  to  represent  c’s  assumption  of  a’s  competence.  It  could 
be  expressed  formally  with  a  formula  like  this: 

Bc MX  ^Ba  Vy(NameOf(y,  X)  — >  Adult (y))  — >  Vy(NameOf(y,  X)  — >  Adult (y))j  (5.3) 

Finally,  we  would  require  that  c  knows  that  it  has  received  a’s  assertion  that  the  principal  called 
‘joe’  is  an  adult.  (Actually,  this  would  probably  be  a  consequence  of  a  general  condition  that 
principals  know  their  own  states.) 

Bc  AssertedAdultN  ame  ('joe")  (5.4) 


So,  to  summarize,  we  would  require  that  Bc  and,  incidentally,  Ba  be  such  that  r*  (2)  satisfies 
(5.2),  (5.3),  and  (5.4).  We  would  next  check  (perhaps  with  a  formal  proof)  that  this  implies  that 
r*(2)  satisfies  the  condition  in  (5.1),  which  would  be  expressed  thus: 

Bc  Vy(NameOf(y, '  joe ')  — »  Adult (y))  (5.5) 
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In  other  words,  if  r*(2)  N  (5.2),  (5.3),  and  (5.4)  then  r*(2)  N  (5.5).  This  turns  out  to  be  the  case, 
and  the  formal  proof  could  be  done  using  Modus  Ponens,  rules  for  instantiating  quantifiers, 
and  a  special  set  of  axioms  called  ‘K’  that  hold  for  all  modal  logics  with  a  truth-functional 
conditional  operator  (like  our  >’)  and  a  possible-worlds  semantics.  K  (adapted  to  our  formal 
language)  is  the  set  of  all  formulas  with  the  following  form: 

r((® k{4>  — >  VO  a ^)n 

(0  and  stand  for  any  formulas  and  n  for  any  constant  of  sort  principal.)  All  formulas  in  K  are 
valid  no  matter  what  the  belief-relations  are,  because  their  validity  comes  from  the  way  worlds 
satisfy  formulas  whose  main  operator  is 

Below,  we  informally  prove  that,  if  r*(2)  h  (5.2),  (5.3),  and  (5.4)  then  r*( 2)  N  (5.5),  using  the 
properties  of  the  satisfaction-relation. 

Proof.  Remember  that  the  “real  world”  (which  is  the  perspective  in  which  we  are  doing  the 
proof)  is  r*(2).  The  main  operator  of  the  assumptions  ((5.2),  (5.3),  and  (5.4))  and  the  goal 
((5.5))  is  Bc,  and  we  are  thus  always  talking  about  c’s  beliefs,  which  is  the  same  as  talking 
about  all  the  worlds  that  c  considers  possible  (in  r*(2)).  So  we  switch  our  perspective  from 
r*(2)  to  an  arbitrary  world  w  such  that  (r*(2),  tv)  e  Bc.  From  the  assumptions,  we  know  the 
following: 

w  N  ‘  AssertedAdultName('  joe")’ 

w  N  'MX  ^AssertedAdultName(3f)  — >  Ba  Vy(NameOf(y,  X)  — >  Adult (t/)) 
w  N  'MX ^Bn V7/(NameOf(?/, X)  — >  Adult (y))  — ■>  Vy(NameOf(y, X)  — >  Adult(y))^’ 

Therefore, 

w  N  ‘ ^Asserted AdultName('  joe")  — +  Ba Vy(NameOf(y, '  joe")  — >•  Adult (y)) 
w  N  ‘ ^Ba Vy(NameOf(y, '  joe")  — >  Adult (y))  — »  Vy(NameOf(y, '  joe")  — ■>  Adult (y)) 

and  so 

w  N  ‘Vy(NameOf(y, '  joe")  — >  Adult(y))’ 
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We  have  now  proved  that  ‘Vy(NarneOf  (y, '  joe')  ^  Adult (y)) ’  is  satisfied  by  all  points  that 
c  considers  possible  in  r*( 2),  and  this  is  precisely  the  condition  for  r*( 2)  to  satisfy  (5.5).  □ 

5.3.3  Problems  with  the  Model 

That  was  fun,  but  the  proof  rests  on  an  uncertain  assumption:  that  such  a  world  as  w  exists.  In 
fact,  it  may  be  that  there  is  no  w  such  that  (r*( 2),w)  G  Bc.  This  would  not  mean  that  r*( 2)  does 
not  satisfy  (5.5):  rather,  it  would  mean  that  r*( 2)  satisfies  all  formulas  with  the  form  rE,.  0n! 
This  is  because  a  world  w  satisfies  a  formula  rBc  cB  if  and  only  if  each  world  w'  such  that 
(w,w')  G  Bc  satisfies  (f),  and,  if  there  are  no  such  worlds  w',  then  this  is  trivially  the  case.  In 
modal  logics  of  belief,  this  is  prevented  by  ensuring  that  each  belief-relation  Bp  is  serial  — 
that  is,  for  each  w  in  IV  there  exists  a  w'  in  VV  such  that  (  w,  w')  G  Bp.  This  means  that  all 
formulas  with  the  form  r(E(i.  <p  — >  -i  EK  -E)”1  are  valid,  and  so  they  are  usually  added  as  axioms 
(this  is  the  axiom-set  called  ‘D’).  But  we  do  not  know  enough  about  Bc  to  determine  whether 
it  is  serial.  Before  trying  to  do  proofs,  we  need  to  know  more  about  Bc  and  Ba  —  in  fact,  we 
need  to  define  them,  rather  than  just  specify  constraints  on  them.  It  turns  out,  though,  that  this 
is  difficult  to  do. 

Problem  1 

We  have  not  defined  Bc\  we  have  not  said  what  other  beliefs  c  has  at  r*( 2),  nor  have  we  said 
what  c  believes  at  any  other  world.  We  have  also  not  defined  Ba.  One  option  is  to  generalize 
the  conditions  we  imposed  on  r*(2)  to  represent  c’s  assumptions,  so  that  (5.2),  (5.3),  and  (5.4) 
are  satisfied  by  all  worlds.  In  fact,  this  makes  sense,  since  c  would  make  these  assumptions 
“a  priori ,”  independently  of  the  run  or  the  world.  But  if  we  take  this  general  approach  for  all 
principals’  assumptions  in  every  system,  we  get  some  unexpected  results.  For  example,  it  is 
impossible  to  model  a  case  where  a  principal  p  always  believes  (an  assumption)  but  in  some 
world  w*  another  principal  q  does  not  believe  that  p  believes  (j)  —  formally: 

w  N  rBp  (/>n  for  any  w  in  W  (5.6a) 

w*  N  r-i  Mq  Bp  (fp  (5.6b) 

Set  (5.6)  is  unsatisfiable  because  (5.6b)  implies  that  there  exists  some  world  w'  in  VV  such  that 
(w*,  w ')  G  Bq  and  w'  V  rBp  0n,  which  contradicts  (5.6a).  So  it  seems  that  we  need  to  choose 
just  a  subset  of  worlds  in  which  principals  make  their  assumptions.  The  problem  is  that  I  know 
no  natural  criterion  for  choosing  this  subset.  In  general,  a  description  of  a  situation  that  we  are 
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trying  to  model  will  only  tell  us  what  beliefs  hold  in  some  of  the  worlds,  and  our  modeling 
technique  does  not  have  a  general  principle  for  filling  out  the  rest  of  the  belief-relations.  For 
example,  in  the  multi-agent  system  approach  (in  which  W  is  the  set  of  points),  the  knowledge- 
relation  Kt  for  any  agent  i  is  defined  as  the  set  of  all  pairs  ((r,  t),  (■ r t'))  such  that  i  is  in  the 
same  local  state  in  r(t)  and  r'(f');  thus,  given  a  set  of  agents  and  a  set  7 Z  of  runs,  this  principle 
completely  defines  the  knowledge-relations.  However,  even  if  we  had  such  a  principle  for 
belief-relations,  we  would  have  another  problem  to  deal  with,  which  we  consider  next. 

Problem  2 

The  second  problem  is  that  a  given  definition  of  VV  might  restrict  which  sets  of  beliefs  we  can 
model  with  the  belief-relations.  To  see  how,  consider  a  very  simple  example.  Forget  about  our 
protocol  models  and  even  relational  Kripke  structures,  and  instead  suppose  that  a  world  consists 
of  just  a  bit,  whose  value  is  either  0  or  1.  Suppose  our  formal  language  is  a  propositional  modal 
logic,  and  in  this  language  ‘p’  denotes  the  proposition  that  the  bit’s  value  is  1.  There  are  two 
principals,  a  and  b.  For  now,  let  W  contain  just  two  worlds  —  one  world  in  which  the  bit’s 
value  is  0,  and  another  in  which  it  is  1.  Suppose  we  want  to  impose  the  following  conditions  on 
the  belief-relations  Ba  and  Bi,: 


•  a  always  (i.e.,  in  all  worlds)  knows  the  bit’s  value. 

•  There  is  a  world  w*  in  VV  in  which  a  believes  that  b  believes  that  the  bit’s  value  is  1,  but 
in  fact  b  does  not  believe  this. 

•  Both  belief-relations  are  serial. 


Formally: 

w  N  ‘((p  — ■>  Bttp)  A  (-ip  — »  Ba  — ip))  ’  for  any  w  in  W  (5.7a) 

w*  N  ‘(BaB{,p  A  -iBftp)’  (5.7b) 

w  N  r(BK  0  — ■>  -i  Bk  for  any  w  in  W  (5.7c) 

The  first  two  conditions  are  mundane.  The  last  one  —  seriality  —  is  important  because  without 
it  there  are  worlds  for  which  at  least  one  of  the  belief-relations  is  meaningless,  in  that  it  causes 
a  principal  to  believe  everything  in  these  worlds. 
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It  turns  out  that  it  is  impossible  to  satisfy  conditions  (5.7)  with  just  the  two  worlds  in  VV.  If  we 
drop  seriality  ((5.7c))  we  can  satisfy  (5.7a)  and  (5.7b),  but  the  meanings  of  the  belief-relations 
then  become  questionable.  The  problem  is  not  that  these  conditions  are  mutually  contradictory: 
in  fact,  if  we  add  to  VV  an  additional  world  in  which  the  bit’s  value  is  1,  then  all  three  conditions 
can  be  satisfied.  One  way  of  doing  this  is  shown  in  Figure  5.4.  In  this  example,  the  bit’s  value 
happens  to  be  1  in  w*,  and  so  its  value  must  be  1  in  every  world  that  a  considers  possible  at 
w*.  a  has  a  false  belief  about  V s  belief  about  the  bit,  and  so  a  cannot  consider  w*  possible; 
therefore,  we  need  an  extra  world  in  which  the  bit’s  value  is  1  and  a’s  belief  about  V s  belief 
is  true.  In  general,  it  seems  that  this  problem  comes  from  principals  having  false  beliefs  about 
other  principals’  beliefs,  which  causes  the  belief-relations  to  interfere  with  each  other  if  there 
are  not  enough  worlds  in  W. 


Figure  5.4:  One  way  of  satisfying  conditions  (5.7)  with  an  extra  world. 


The  same  thing  can  happen  with  Bsav ■  In  Section  5.2  and  Subsection  5.3.1  we  came  up  with 
well-motivated  definitions  of  the  local- state  sets  L,  and  the  environment- state  set  Le ,  and  it 
seems  that  defining  W  as  La  x  Lc  x  L3  x  Lk  x  Le  would  capture  all  the  interesting  possibil¬ 
ities  for  the  protocol  application.  Nevertheless,  if  W  is  finite  (which  it  is  if  and  only  if  T  is 
finite),  I  would  expect  that  there  are  still  sets  of  reasonable  conditions  that  cannot  be  satisfied. 
This  will  not  be  a  problem  if  W  is  infinite,  but  then  we  get  the  first  problem  discussed  above. 
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CHAPTER  6: 
Conclusion 


This  thesis  has  presented  a  view  of  security  protocols  as  devices  that  enable  principals  to  acquire 
security-relevant  beliefs  based  on  their  “technical”  knowledge  and  beliefs  (about,  e.g.,  cryptog¬ 
raphy  and  computer  networks),  on  their  assumptions  about  the  meanings  of  messages  and  the 
names  that  appear  in  messages,  and  on  their  trust  in  other  principals.  We  call  these  beliefs  a 
protocol’s  “required  assumptions.” 

We  found  that  protocols’  required  assumptions  are  often  less  about  principals  than  about  keys 
and  names  and,  in  particular,  the  way  names  are  used.  We  then  quickly  discovered  that  to 
understand  such  assumptions  we  must  make  some  very  subtle  distinctions  between  different 
ways  of  naming,  and  such  distinctions  are  usually  made  by  philosophers  rather  than  computer 
scientists,  and  certainly  not  by  the  average  user  who  encounters  TLS  most  often  when  shopping 
at  Amazon.  And  yet  these  distinctions  can  be  essential  to  understanding  how  a  security  protocol 
is  supposed  to  achieve  its  goals,  as  we  saw  with  the  example  of  using  OpenID  for  authentication 
(Subsection  4.3.2). 

The  complexity  of  some  of  the  required  assumptions  calls  for  a  formal  modal  language  that  can 
deal  with  naming.  This,  in  turn,  calls  for  a  meaningful  model  on  which  to  build  a  semantics. 
We  took  an  initial  step  toward  this,  but  found  problems  with  modeling  belief  using  Kripke 
structures  while  requiring  that  the  parts  of  the  model  representing  a  principal’s  state  have  a 
behavioral  interpretation. 

6.1  More  on  NSTIC 

We  discussed  the  White  House’s  “National  Strategy  for  Trusted  Identities  in  Cyberspace” 
(NSTIC)  in  Chapter  1.  I  claimed  that  NSTIC’s  mechanisms  for  online  identification  and  au¬ 
thentication  are  riskier  than  those  they  are  meant  to  replace,  because  they  require  more  trust  on 
the  part  of  users.  Here,  I  will  give  an  example  of  this  additional  trust.  (While  I  was  working 
on  this  thesis,  Ross  Anderson  presented  a  paper  ([44])  about  similar  problems  with  federated 
authentication  in  general,  in  which  he  mentions  NSTIC.  I  highly  recommend  it  to  anyone  inter¬ 
ested  in  the  practical  difficulties  with  requiring  a  lot  of  trust  from  users.) 

There  are  multiple  kinds  of  trust  required  by  the  White  House’s  mechanisms  that  are  not  re- 
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quired  by  traditional  mechanisms,  but  one  of  the  more  important  ones  occurs  in  an  example 
provided  by  the  White  House  itself  in  its  discussion  of  the  privacy-relevant  aspects  of  its  mech¬ 
anisms: 

The  offline  world  has  structural  barriers  that  preserve  individual  privacy  by  limit¬ 
ing  information  collection,  use,  and  disclosure  to  a  specific  context.  For  example, 
consider  a  driver’s  license:  an  individual  can  use  a  driver’s  license  to  open  a  bank 
account,  board  an  airplane,  or  view  an  age-restricted  movie  at  the  cinema,  but  the 
Department  of  Motor  Vehicles  does  not  know  every  place  that  accepts  driver’s  li¬ 
censes  as  identification.  It  is  also  difficult  for  the  bank,  the  airport,  and  the  movie 
theater  to  collaborate  and  link  the  transactions  together.  At  the  same  time,  there  are 
aspects  of  these  offline  transactions  that  are  not  privacy-protective.  The  movie  the¬ 
ater  attendant  who  checks  an  individual’s  driver’s  license  needs  to  know  only  that 
the  individual  is  over  age  17.  But  looking  at  the  driver’s  license  reveals  extraneous 
information,  such  as  the  individual’s  address  and  full  date  of  birth.  [1,  p.  11] 

As  they  say,  the  White  House’s  mechanisms  ideally  “should  preserve  the  positive  privacy  bene¬ 
fits  of  offline  transactions  while  mitigating  some  of  the  negative  privacy  aspects”  (ibid.),  and  of 
course  they  should  do  the  same  for  the  traditional  online  mechanisms  that  they  replace.  How¬ 
ever,  while  the  White  House’s  mechanisms  might  be  able  to  limit  extraneous  information  given 
to  service  providers  without  additional  trust  requirements  (but  probably  not,  although  it  de¬ 
pends  on  the  details  of  the  mechanism),  they  will  not  be  able  to  prevent  identity  providers  like 
the  DMV  from  retaining  information  about  the  services  that  users  use.  They  replace  a  physical 
guarantee  of  privacy  with  a  requirement  that  the  user  trusts  the  identity  provider  to  protect  the 
user’s  privacy  by  behaving  well  —  specifically,  by  abiding  by  the  “Fair  Information  Practice 
Principles”  (cf.  ibid.,  p.  45). 

Something  similar  will  happen  when  an  NSTIC  mechanism  replaces  digital  mechanisms  like 
password-based  authentication.  Right  now,  my  online  bank  account  is  protected  with  a  username- 
password  pair,  and  my  bank  and  I  know  that,  if  the  security  mechanisms  work,  only  we  can 
access  that  account.  But  in  the  NSTIC  vision,  my  bank  will  depend  on  an  assertion  from 
an  identity  provider  to  authenticate  me,  and  therefore  to  be  satisfied  that  only  I  or  the  bank 
will  access  my  account,  we  must  trust  the  identity  provider  not  to  accidentally  or  deliberately 
misidentify  someone  else  as  me.  (An  interesting  question  is,  if  someone  gets  into  my  account 
somehow  and  steals  money  from  it,  how  liable  are  the  bank  and  the  identity  provider?  For  more 
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on  this  theme,  cf.  [44].) 


6.2  Future  Work 

The  most  pressing  future  work  is  to  address  the  issues  with  the  belief  model,  discussed  at 
the  end  of  Chapter  5.  We  may  need  to  abandon  the  principle  that  all  parts  of  a  local  state 
have  behavioral  interpretations,  and  represent  beliefs  directly  in  local  states.  This  then  raises 
the  question  of  how  to  represent  beliefs.  BAN  Logic  and  Rangan’s  method  include  formulas 
from  the  formal  languages  in  the  models,  and  this,  at  least  on  the  surface,  seems  inappropriate. 
Whatever  approach  is  taken,  the  result  should  be  a  model  with  clear  criteria  for  determining 
whether  it  applies  to  a  given  real-world  situation  —  in  short,  it  should  be  meaningful. 

In  Chapter  4,  we  did  not  go  far  in  understanding  the  differences  between  the  two  meanings 
of  ‘call’;  we  also  did  not  consider  whether  there  might  be  other  types  of  names  relevant  to 
security  protocols.  An  interesting  future  project  would  be  to  list  all  the  types  of  names  that 
security  protocols  use,  and  also  to  investigate  the  usefulness  of  the  concepts  in  the  philosophical 
literature  on  naming  such  as  [25],  [28],  and  [29]  with  regard  to  understanding  the  types  of  names 
used  in  security  protocols. 

Finally,  the  ultimate  goal  would  be  to  present  the  required  assumptions  of  a  representative  col¬ 
lection  of  widely  used  security  protocols,  including  multiple  protocols  for  a  given  purpose  (e.g., 
authentication).  This  would  be  very  useful  for  understanding  all  the  questionable  assumptions 
we  are  making  without  even  knowing  it  whenever  we  use  our  computers. 
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